Using a different authentication mode based on protocol

book

Article ID: 167076

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Using a different authentication mode based on protocol.
HTTP web requests work with authentication, but FTP connections don't work correctly with authentication.
Some application requests work, but most of the time they fail.
My application is not able to get out to the internet. How can I work around the problem?

 

Resolution

Workaround

This example does not bypass authentication. It gives an example where a particular authentication mode may not work for all protocols (for example proxy-ip not working correctly with FTP). It may be necessary to authenticate the user with a different mode in order for authentication to work. One such example is the FTP protocol and the proxy-ip authentication mode.  When using the proxy-ip mode with FTP, the first authentication request succeeds, but subsequent authentication requests result in the FTP connection failing. To address the problem, for FTP traffic, you use the proxy authentication mode instead of the proxy-ip mode.

This example assumes that you already have policy in place to authenticate users and that the authentication mode used is proxy-ip. The following steps will help you create a second authentication object that uses a different authentication mode than the one currently configured. In this example, any FTP traffic (FTP traffic uses TCP port 21) will be authenticated using the proxy mode instead of the proxy-ip mode.

  1. Open the Management Console on the ProxySG appliance (https://<IP_address>:8082).
  2. Select Configuration tab > Policy > Visual Policy Manager > Launch.
  3. Select a Web Authentication Layer.  Add a new rule above the current authentication rule that is causing problems.
  4. In the Destination column, right click and select Set > New > Destination Host/Port and in the port number put in 21. Click Add > Close. With the newly created destination port 21 selected, click OK.
  5. (Optional/alternate) In the Service column, right click and select Set > New > Client Protocol Object and choose FTP from the drop-down menu.  Click OK.  With the newly created FTP object selected, click OK.
  6. Right-click in the Action column, select Set > New > Authenticate. Give it a meaningful name (FTPAuth), select your realm, and change your mode to Proxy. Click OK twice. 
  7. Install policy. NOTE: You may not be using proxy-ip and proxy. Select the appropriate authentication mode as needed for your environment. See 000012964 for a list of the authentication modes available for use.
  8. Test and make sure the problem is resolved.

NOTE:  The Web Access layer does not need any new rules because the request is still being authenticated. It is just using a different mode of authentication.