• Flash Videos cause authentication pop-up when the ProxySG appliance is deployed transparently and authentication is enabled.

Why you are getting a pop-up:

Before the video starts playing, the Flash player sends a POST request to open the video stream.
It is important to understand that HTTP POST requests cannot respond to a 302 redirected sent by the ProxySG appliance to redirect to the Virtual URL for authentication.
Therefore, the ProxySG appliance sends back a 401 as an 'origin' challenge, instead of sending a 302-redirect in the form of an 'origin-redirect' challenge.
The browser therefore thinks it is the OCS (Website) asking for authentication, not the ProxySG. The browser will not automatically send its IWA/NTLM credentials for an 'origin' challenge, but creates a pop-up instead.

How to resolve the issue:

To resolve the issue, you can do either of the following:
1) Do not authenticate 'POST' requests
2) Do not authenticate the source User-Agent 'Shockwave Flash'
3) Do not authenticate the source Content-type: application/x-fcs

Here is what the HTTP POST request looks like from the BBC player:

POST /open/1 HTTP/1.1
Content-Type: application/x-fcs
User-Agent: Shockwave Flash
Host: 208.111.153.61
Content-Length: 1
Connection: Keep-Alive
Cache-Control: no-cache

This is the player requesting the video stream to open. As we already know, POST requests cannot be redirected to the Virtual URL and so a Pop-up is created on the browser for authentication instead.

In CPL, the resolution would look like this:

<Proxy>
request.header.Content-Type="application/x-fcs" authenticate(no)