What should the Virtual URL be in transparent Authentication on the ProxySG?

book

Article ID: 167387

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

What should the Virtual URL be in transparent Authentication on the ProxySG?
The default virtual URL is www.cfauth.com/
Can the default URL be changed?
If the default URL can be changed, what should the URL be?
Authentication Mode is origin-redirect or origin-*-redirect

Resolution

When attempting to implement some sort of silent authentication (no pop-up box) in a transparent proxy deployment with an origin-*-redirect Authentication Mode, change the Virtual URL from www.cfauth.com/ to a hostname that is internally resolvable, such as http://proxysg .  NOTE: Because of a browser design, if there is a period in the hostname (something.something), the browser may think the proxy exists in the internet zone instead of the intranet zone, and it will not pass credentials to the proxy; a single hostname with no dots will be required. A DNS entry or workstation hosts file needs to be configured, so whatever name placed for the Virtual URL can be resolved to the IP address of the ProxySG in an environment.

Here are the steps to make the changes on the ProxySG:

  1. Log into the Management Console ( https://<ip.address.of.proxysg>:8082/ ). Go to Configuration tab > Authentication > {Select an authentication type, such as IWA, Windows SSO, and so forth}.
  2. Click on the last tab, which will be <authentication type> General. Some examples are "IWA General" or "Windows SSO General".
  3. There is a "Virtual URL" setting on the General tab. By default, the Virtual URL is set to www.cfauth.com/ . Change this to http://<some-host-name-resolvable-on-your-network> . Some examples are http://proxysg or http://myproxy or http://bluecoat and so forth. NOTE: Whatever name is selected here must be resolvable to the IP address of the ProxySG. If not, this new Virtual URL name will not work.
  4. Click on Apply to save changes.
  5. Test and make sure it all works as expected.

 

NOTE: The ProxySG must have the Explicit Proxy Service enabled on port 80 for this to work properly.

TROUBLESHOOTING:

  1. Make sure the hostname can be pinged from the command line.
  2. Make sure there are no dots (.) in the Virtual URL name.
  3. Make sure the ProxySG has the Explicit Proxy Service enabled on port 80.
  4. Take a Packet Capture (pcap) and make sure the ProxySG is redirecting to the Virtual URL and that the Virtual URL is being resolved to the IP address of the ProxySG.