User Guide
340
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE
The following subsections describe these methods of authentication in more detail.
Explicit Forward Deployment, Basic Authentication
When a client explicitly sends a web page request to a Web Security appliance deployed in
explicit forward mode, the Web Proxy can reply to the client with a 407 HTTP response
“Proxy Authentication Required.” This status informs the client that it must supply valid
authentication credentials to access web resources.
The authentication process comprises these steps:
1. Client sends a request to the Web Proxy to connect to a web page.
2. Web Proxy responds with a 407 HTTP response “Proxy Authentication Required.”
3. User enters credentials, and client application resends the original request with the
credentials encoded in Base64 (not encrypted) in a “Proxy-Authorization” HTTP header.
4. Web Proxy verifies the credentials and returns the requested web page.
Table 16-4 lists advantages and disadvantages of using explicit forward Basic authentication.
Transparent Deployment, Basic Authentication
The 407 HTTP response “Proxy Authentication Required” is allowed from proxy servers only.
However, when the Web Proxy is deployed in transparent mode, its existence is hidden from
client applications on the network. Therefore, the Web Proxy cannot return a 407 response.
To address this problem, the authentication process comprises these steps:
1. Client sends a request to a web page and the Web Proxy transparently intercepts it.
Explicit forward NTLM NTLMSSP
Transparent NTLM NTLMSSP
Table 16-4 Pros and Cons of Explicit Forward Basic Authentication
Advantages Disadvantages
• RFC-based
• Supported by all browsers and most other
applications
• Minimal overhead
• Works for HTTPS (CONNECT) requests
• Password sent as clear text (Base64) for every
request
• No single sign-on
Table 16-3 Methods of Authentication (Continued)
Web Proxy
Deployment
Client to Web Security
Appliance
Web Security Appliance to
Authentication Server