How to use Cookie based authentication in an explicit environment

book

Article ID: 166499

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

In most circumstances, using Cookie based authentication in an explicit environment is not recommended as it will only authenticate to a user-agent that generates cookies.  The other dilemma is that cookie based authentication does not by default authenticate HTTPS traffic unless it is intercepted, and even when intercepted would require a whole host of new rules to accomplish this.  This means that for a basic cookie based rule you will not be able to authenticate any HTTPS traffic, or any non-browser traffic as other applications do not generally create cookies.

If at all possible we always recommend the following basic configurations:

1. Proxy-IP mode authentication if you are in an environment with one user per workstation
2. A mix of the above, all single user workstation IP subnets authenticated via Proxy-IP mode and all multiple user workstations authenticated via Proxy mode.
3. Proxy mode authentication if you have multiple users per workstation or if the users are behind a network appliance that only broadcasts one IP address (i.e. Citrix server)

In some rare circumstances you may need to reduce the number of authentication requests in a Proxy mode environment due to excessive usage on the proxy.  This would be used as an interim work around while waiting for upgraded hardware etc. 

In this scenario you would use the following configuration and use the CPL editor to install:

1. All HTTPS traffic is authenticated by Proxy mode.
2. All traffic with a user-Agent of any browser type is authenticated via Origin-Cookie-Redirect mode.
3. All other traffic is authenticated by Proxy mode.
 
Below is an example of the CPL code that would implement this (It is also available as an attachment to this FAQ).  Please note that Rule 1 and 2 are both commented out as they may not be needed in all environments:

<proxy>
; Definitions

; This list defines the IP's or subnets of client computers that do not need to authenticate in Rule1. Remove semi-colon from next 4 lines as well as from Rule1 if you wish to implement this feature.
; define condition client-ip
;      client.address=10.1.1.0/24
;     client.address=192.168.1.15
; end

; This list defines the remote servers that do not need to be authenticated against in Rule2. Remove semi-colon from next 4 lines as well as from Rule2 if you wish to implement this feature.
; define condition server-ip
;     url.address=192.168.0.5
;     url.address=192.168.0.6
;     url.domain=//www.mycompany.com/

; end

; This list defines all browser types, used for Cookie based authentication used in Rule3.
define condition UserAgentList1

    request.header.User-Agent="Gecko\) Chrome/\d+(\.\d+)+ Safari/\d+(\.\d+)+$"
    request.header.User-Agent="^Mozilla/\d+\..*Firefox/\d+\.\w+\.*\d*\.*\d*( \(\s*.NET CLR.*\)|)$"
    request.header.User-Agent="((?-i)MSIE [1-9]0?.\d+; Windows [^PC].*(\w\w-\w\w|P|T|U|;\s*|\d\w|\d(?<!WP\d))\)$)|(^Mozilla/\d+\.0 \(.*Trident/7.*rv:11.*\).*)"
    request.header.User-Agent="(^Mozilla/[234][^\(]*\([^c].*\)$)|(^Mozilla/5\.0[^\(]*\([^c].*Netscape[67]*/[6-9])|(^Mozilla/5\.0[^\(]*\([^c].*Navigator/9)"
    request.header.User-Agent="(^Opera[ /]\d+\..*)|(.*Opera[ /]\d+\.\d+( \[\w\w\])?$)"
    request.header.User-Agent="^Mozilla/[45]\.0 \((Windows|Macintosh|X11).*Version/\d+(\.\d+)* Safari/\d+(\.\d+)+$"
    request.header.User-Agent="iPhone"
    request.header.User-Agent="(\(iPad)|(; iPad)"
    request.header.User-Agent="(\(iPod)|(; iPod)"
    request.header.User-Agent="(\(Black[Bb]erry)|(^Black[Bb]erry)|(BB10)"
    request.header.User-Agent="(\(Android)|(; Android)"
    request.header.User-Agent="(Windows Phone)|(Windows Mobile)|(IEMobile)|(Windows CE)|(.*WP7)"


end condition UserAgentList1

; end Definitions

;Rules

; Rule1
;this rule does not authenticate the list called 'client-ip'
; condition=client-ip authenticate(no)

; Rule2
;this rule does not authenticate the list called 'server-ip'
; condition=server-ip authenticate(no)

;Rule3
; This rule forces all HTTPS traffic to authenticate using Proxy mode.
http.method=(CONNECT)authenticate(IWA) authenticate.mode(proxy)

;Rule4
; This rule forces all non-HTTPS traffic to authenticate using Origin-Cookie-Redirect mode.
condition=UserAgentList1 authenticate(IWA) authenticate.mode(origin-cookie-redirect)

;Rule5
; This rule forces everything else to authenticate using Proxy mode.
authenticate(IWA)  authenticate.force(no) authenticate.mode(proxy)
 

; End Rules