Which type of authentication mode should be used for specific proxy deployments?


Article ID: 167462


Updated On:


ProxySG Software - SGOS


Need to know the most appropriate authentication mode to use for a specific proxy deployment.


There are a number of authentication modes to choose from, when configuring ProxySG to use authentication. The following table summarises which mode to be used in each type of proxy deployment in a generic sence. One may use a different mode based on their situation.


Forwarding Proxy

Forwarding Proxy

Reverse Proxy

Surrogate Type

Proxy Challenge

Origin Challenge
with redirection

Form Challenge
with redirection

Origin Challenge

Form Challenge

IP Surrogate

Proxy IP

Origin IP Redirect

Form IP Redirect

Origin IP

Form IP

Cookie Surrogate


Origin Cookie Redirect

Form Cookie Redirect

Origin Cookie

Form Cookie

TCP Connection Surrogate





 These modes are explained in detail in Knowledgebase article 000012964.

Surrogate Types


The IP address of the client PC is used to remember who the user is. This mode cannot be used in a NAT / Terminal Server environment.


The proxy allocates a cookie to the user and uses this to remember who the user is. This mode can be used in a NAT / Terminal Server environment.


Each TCP connection made to the proxy requires authentication. This mode can be used by clients that do not support cookies. Because each TCP connection made by the client requires authentication this mode is very secure, but increases the load on the ProxySG appliance and on the authentication infrastructure.

For further details on surrogate credentials, see 000015171.