User Guide

ManualsBrandsCisco Manualsantivirus security softwareCisco Web Security Appliance S170

151

152

153

154

155

156

157

158

159

160

130

IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE

• No information available from a previous HTTP request. When the Web Proxy has no

credential information for the client, then it fails the HTTPS request.

• Cookie-based authentication surrogates and transparent requests. When the appliance

uses cookie-based authentication, the Web Proxy does not get cookie information from

clients for HTTPS and FTP over HTTP requests. Therefore, it cannot get the user name

from the cookie. In this situation, HTTPS and FTP over HTTP requests still match the

Identity group according to the other membership criteria, but the Web Proxy does not

prompt clients for authentication even if the Identity group requires authentication.

Instead, the Web Proxy sets the user name to NULL and considers the user as

unauthenticated. Then, when the unauthenticated request is evaluated against the non-

Identity policy groups, it only matches non-Identity groups that specify “All Identities” and

apply to “All Users.” Typically, this is the global policy, such as the global Access Policy.

For a diagram of how this occurs, see Figure 7-3 on page 134.

• Cookie-based authentication surrogates and explicit requests. The behavior is different,

depending on whether or not credential encryption is enabled:

• Credential encryption enabled. The behavior is the same as cookie-based

authentication with transparent requests, as described above.

• Credential encryption disabled. The Web Proxy uses no surrogates and HTTPS and

FTP over HTTP requests are authenticated and matched to Identity groups like HTTP

requests. For a diagram of how this occurs, see Figure 7-2 on page 133.

Table 7-1 summarizes the information described above.

Table 7-1 Matching HTTPS and FTP over HTTP Requests to Identities

Surrogate

Types

Explicit Requests Transparent Requests

No Surrogate HTTPS and FTP over HTTP requests are

matched like HTTP requests.

N/A

IP-based HTTPS and FTP over HTTP requests are

matched like HTTP requests.

FTP over HTTP requests are matched

like HTTP requests.

HTTPS requests are matched like HTTP

requests only if a previous HTTP

request was authenticated, otherwise,

the request fails.

Cookie-based Client is not prompted for

authentication.

Note: When credential encryption is

disabled, no surrogates are used and

HTTPS requests are matched like HTTP

requests

Client is not prompted for

authentication.