Edge SWG (formerly ProxySG) Steps to Forward User Credentials Upstream
search cancel

Edge SWG (formerly ProxySG) Steps to Forward User Credentials Upstream


Article ID: 165859


Updated On:


ProxySG Software - SGOS


The following procedure describes how to configure the Edge SWG (formerly ProxySG) appliance to store user credentials and send them upstream upon request. This allows users to enter their credentials once rather than having to continually re-enter them in order to access a server behind the Edge SWG appliance. This type of configuration would be useful in a reverse proxy deployment to prevent users from having to re-authenticate multiple times.



Note: The following procedure will only work with servers that request BASIC authentication. As an alternative you could configure the EdgeSWG to use constrained Kerberos delegation (also known as IWA on Microsoft IIS). For more details please refer to Article 165596.

1. Open VPM.
2. Optional: Create a new Web Authentication Layer.
3. Add a new rule to the Web Authentication Layer, ensuring that the placement of this rule is correct.
4. Adjust the source and destination accordingly. 
5. As an action, right-click and select "set."
6. Select "Duplicate Proxy Credentials Upstream."
7. Adjust the options accordingly.
For more details, refer to the SGOS Administration Guide of your corresponding SGOS release.


Additional Information

  • For security reasons, the Edge SWG appliance will strip authorization credentials provided by the client that are intended for the OCS. This is done by default (by default, no credentials are sent upstream). In this case, the proxy will remove the authorization header to avoid leaking credentials that may have been intended for another authentication realm or a downstream proxy. 
  • For all transactions which match the "Duplicate Proxy Credentials Upstream" Object, credentials will be sent even if the receiving server does not require them. Depending upon how your policy is written, you can use the Do Not Send Credentials Upstream object to manage which servers should not receive credentials. You can enforce this rule using the VPM object, Do Not Send Credentials Upstream. It is a fixed action and requires no configuration.
  • The "Duplicate Proxy Credentials Upstream" object implies the use of basic credentials which works in two modes:
    • ‚Äč1. If the user authenticated to the using BASIC credentials, then by default, those credentials will be forwarded upstream. 
    • 2. If the user authenticated using NTLM, Kerberos, or a realm which does not use passwords, then by default the username will be forwarded along with an empty password.
  • Optionally, the username and password sent upstream can be configured with substitution strings.
  • The "Duplicate Proxy Credentials Upstream" object is the equivalent of the "server.authenticate.basic()" CPL syntax.
  • The typical application for the "Duplicate Proxy Credentials Upstream" object is with child-parent proxy deployments (proxy chaining).