Notes:

• The configuration detailed in this article will support proxy authentication to both HTTP and HTTPS websites.
• This configuration uses the HTTPS Reverse Proxy and therefore a SSL license is required.

The following configuration work is required. 

1. Configure a HTTPS Reverse Proxy service to be used exclusively for listening for authentication requests.
2. Configure the authentication realm with a virtual URL that points to the above reverse proxy service.
3. Create policy to redirect authentication traffic to the required authentication realm.

1. Creating a HTTPS Reverse Proxy service on the proxy will allow all authentication attempts to be encrypted. In the Management GUI, create a HTTPS Reverse Proxy service (here called IWA_Auth).

This service will be configured to intercept explicitly on port 4433 (although any other unique port number can be used if required).

• An appropriate keyring needs to be selected for this service. To prevent certificate errors occurring on the browser, this keyring’s certificate will need to be copied to all user workstations (see 000010289).
• It may be necessary to open up port 4433 on a firewall if one exists between the user workstations and the proxy.

2. The authentication realm needs to be configured with a virtual URL that points to the proxy’s reverse proxy service.

When a user is requested to be authenticated, they will be redirected to this URL. It is therefore necessary to ensure that the host name part of the URL can be resolve correctly by the user workstation to the IP address of the proxy. (See also 000015537).

3. In Visual Policy Manager, create a SSL Interception layer.

Create a SSL Interception object and configure it to use the same keyring and used by the HTTPS Reverse Proxy service.

 

Create an Authentication layer.

Create an Authenticate object and configure it to use an appropriate redirect authentication mode (see 000015933).

Apply the policy.

Now, when a user transparently connects through the proxy, the proxy will redirect the user to the authentication virtual URL where the user will authenticate with the proxy. If authentication is successful, the proxy will redirect the user back to the original URL they were requesting. This process can be seen below with the Firefox add-on Firebug displaying the URLs being accessed.

1. The browser attempts to go to the HTTPS www.bluecoat.com site. The proxy returns a HTTP 302 (temporary redirect) response to the virtual URL.
2. The browser goes to the virtual URL (where the user is successfully authenticated). The proxy sends a redirect back to the original requested site.
3. The browser goes to the original requested site, having now been authenticated.