Transparent authentication fails even when the Virtual URL is resolved to the ProxySG IP address.


Article ID: 167015


Updated On:




I am unable to connect to the Internet even when Virtual URL for transparent authentication is configured to resolve to a ProxySG IP address (as shown in KB3448).
Authentication fails and the ProxySG does not show that the user has authenticated. 




After following the instructions in KB3448, the user might have problems accessing the Internet whereby Internet Explorer returns the error “Cannot display the page” even although user can ping to ProxySG IP address.

The problem usually is because the ProxySG has not been configured to intercept on port 80. In order to reply the re-directed traffic for the Virtual URL, proxySG must be configured to intercept traffic at port 80 explicitly, or the IP address that virtual URL is resolved to. 

If it is not configured this way, the traffic that is re-directed to the ProxySG for authentication will be reset and user will not be authenticated. That causes IE to return the error message described above.

The solution for the problem is to intercept on port 80 if the ProxySG has not be configured to do so. This is can be done in the Management Console under Proxy Services in the Configuration tab.

In fact the same concept can be used for situations where the client is pointing a ProxySG to a PAC file in explicit deployment using PAC.

Alternatively, if it is a transparent ProxySG deployment; the virtual URL's host name can be resolved to a public IP address with the condition that the traffic must be intercepted by the ProxySG transparently before reaching the particular IP address. If this condition does not match, then the authentication will fail.


In conclusion, the Virtual URL should be a URL that can be intercepted by the ProxySG so that it can challenge the user request for authentication matters.