Cisco Cisco Web Security Appliance S670 故障排查指南

Contributed by Sebastian Dullinger and Siddharth Rajpathak, Cisco
TAC Engineers.
Aug 13, 2014

Question
Environment
Symptoms
Step 1: Create a Custom URL Category
Step 2: Add a New Identity
Step 3: Add the New Identity to an Access Policy
     Workaround for Using an Existing Access Policy
     Workaround for Using a New Access Policy

Why does the Teamviewer Agent not work when authentication is enabled on the Cisco Web Security
Aplliance (WSA)?

Cisco Web Security Appliance (WSA), and any AsyncOS version.

The Teamviewer Agent times out and accesslogs shows entries which contain 401 or 407 errors indicating
"Proxy Authentication Required".

The Teamviewer Agents do not work with authentication −  meaning when the WSA requests for
authentication from the TeamViewer application, the application may not provide the domain credentials. So
it is necessary to exclude it from authentication.

The authentication exemption is required if WSA is configured to use Cookies as surrogates in Identities (GUI
> Web Security Manager > Identities).

If Identities are configured to IP address surrogates, then the below steps may not be required because the
client's credentials are cached for a period equal to Surrogate Timeout (default = 1 hour) once they access any
website(s) using their browser.

Note: In Explicit mode (using PAC file or browser proxy settings), please ensure that the Apply same
surrogate settings to explicit forward requests option is checked

• 

We can still use the below steps to bypass authentication if we intermittently see 401s/407s in access
logs while accessing Teamviewer.

•