How to forward user credentials to a server behind the ProxySG appliance

book

Article ID: 165859

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The following procedure describes how to configure the ProxySG appliance to store user credentials and send them upstream upon request. This allows users to enter their credentials once rather than having to continually re-enter them in order to access a server behind the ProxySG appliance. This type of configuration would be useful in a reverse proxy deployment to prevent users from having to re-authenticate multiple times.

 

Resolution

Note: The following procedure will only work with servers that request BASIC authentication. As an alternative you could configure the ProxySG to use constrained Kerberos delegation (also known as IWA on Microsoft IIS). For more details please refer to Tech241131.

1. Open VPM.
2. Optional: Create a new Web Authentication Layer.
3. Add a new rule to the Web Authentication Layer, ensuring that the placement of this rule is correct.
4. Adjust the source and destination accordingly. 
5. As an action, right-click and select "set."
6. Select "Send Credentials Upstream."
7. Adjust the options accordingly.
For more details, refer to the SGOS Administration Guide of your corresponding SGOS release.

 

Additional Information

  • For security reasons, the ProxySG appliance will strip authorization credentials provided by the client that are intended for the OCS. This is done by default (by default, no credentials are sent upstream). In this case, the proxy will remove the authorization header to avoid leaking credentials that may have been intended for another authentication realm or a downstream proxy. 
  • For all transactions which match the "Send Credentials Upstream" Object, credentials will be sent even if the receiving server does not require them. Depending upon how your policy is written, you can use the Do Not Send Credentials Upstream object to manage which servers should not receive credentials. You can enforce this rule using the VPM object, Do Not Send Credentials Upstream. It is a fixed action and requires no configuration.
  • The "Send Credentials Upstream" object implies the use of basic credentials which works in two modes:
    • ‚Äč1. If the user authenticated to the using BASIC credentials, then by default, those credentials will be forwarded upstream. 
    • 2. If the user authenticated using NTLM, Kerberos, or a realm which does not use passwords, then by default the username will be forwarded along with an empty password.
  • The "Send Credentials Upstream" object is the equivalent of the "server.authenticate.basic()" CPL syntax.