ProxySG & Advanced Secure Gateway

 View Only
  • 1.  ProxySG-Authentication method

    Posted May 22, 2018 11:58 PM

    Hi Team,

     

    Please suggest the authentication mode which will take the credetial automatically based on their AD login user account.

     

    Our customer is set the authenticaiton mode as Auto. Whenever hes trying to access the sites it keep on propmting username and passowrd, even the denied sites also.

    We need to configure to take the credential automatically rather prompt.

     

    Web Access layer rule is based on the user/Group.

    BCAAA using/ Explicit deployment.

    No NATed users.

     

    I have refered below article but not sure with method can suite for this setup.

    https://support.symantec.com/en_US/article.TECH242539.html

     

    Thanks,

    Ram.



  • 2.  RE: ProxySG-Authentication method

    Posted May 24, 2018 12:32 AM

    Hi Team,

    Could you please advice on this.

    Thanks,

    Ram.



  • 3.  RE: ProxySG-Authentication method

    Posted May 24, 2018 01:00 AM

    Hi Ram,

     

                  "Authentication Mode" only defines how frequent and how the authentication should be attempted. This is different from silent authentication. If customer is using IWA based authentication, it is expected to have silent authentication by sharing the logged in user information. The prompt that you are noticing is either due to the browser/applications inability to share information silently (or the shared ones are getting rejected by the AD when checked by proxy).

     

                  "Auto" mode setting will instruct to use the most secure mode of authentication which is available for the user access method. So for explicit access, out of the available 2 options of "Proxy" and "Proxy-IP", it will pick "Proxy" mode of authentication. This is where all new sessions will be challenged by the proxy for authentication. A good reference for the modes are available at https://support.symantec.com/en_US/article.TECH242539.html

     

                  By saying the above, it is not clear on why the browser is popping-up for auth than sharing the login information silently. Taking a pcap at proxy with the client IP might give a clue.



  • 4.  RE: ProxySG-Authentication method

    Posted May 24, 2018 01:24 AM

    Hi Aravind,

     

    Thank you for the update.

    Can we use "proxy-IP" mode for this scenario.?

    BCAAA server is using for authenticatio and explicit deplyment.

    Proxy-IP mode will challenge the credential one time and maintain the details for particular time period.?

     

    Thanks,

    Ram.



  • 5.  RE: ProxySG-Authentication method
    Best Answer

    Posted May 24, 2018 02:22 AM

    Hi Ram,

     

                             Using "Proxy-IP" in explicit deployment is recommended due to its huge performance benefits. After a successful authentication, proxy will create a User-to-IP mapping for "x" mins. Till this timeout is reached, all requests from the same IP address will be considered as that from the same User. The default value of "x" is 900 seconds (i.e. 15 mins).

     

                Do note that the usage of "Proxy-IP" needs certain conditions to be satisfied like no-NAT before hitting proxy etc. More can be read at https://support.symantec.com/en_US/article.TECH240883.html



  • 6.  RE: ProxySG-Authentication method

    Posted May 28, 2018 02:17 AM

    Hi Arvind/Team,

     

    Customer has configured Authentication mode as "Auto".

     

    He wants to change the authentication timeout value to half day. 

     

    Is it possible to chnge the authentication timeout value in auto mode. If yes , can u please share the procedure.

     

    Thanks,

    Ram. 

     



  • 7.  RE: ProxySG-Authentication method

    Posted May 28, 2018 02:35 AM

    Hi Ram,

     

                 Changing the timeout don't have much of an impact when the mode is selected to "Auto" as it will tend to authenticate every new session. If we are considering the "Surrogate Timeout", it will be coming into effect when surrogate mode is used (Proxy-IP or Origin-IP-Redirect)