Performing authentication in a transparent deployment before implementing SSL Interception.

book

Article ID: 171681

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

The following article provides a way to implement IWA authentication in a transparent deployment for cases in which SSL Interception has not been implemented yet.

This implementation is limited because without doing SSL Interception, the proxy can only authenticate HTTP requests. The proxy can remember the authenticated client for 15 minutes by default (using surrogates) and the client will need to access another HTTP site in order to be re-authenticated after that time has passed. For more on surrogates, refer to the following article:

https://support.symantec.com/en_US/article.TECH243090.html

 

Resolution

In order to implement this authentication, two rules must be created: One that disables authentication for "ssl://" (HTTPS) requests and allow the rest.

The rules look as follows:

 

Rule 1 - Destination trigger: Request URL regex: "ssl://.*" - Action:  Do not authenticate

Rule 2 - Destination trigger: Any - Action: Authenticate, Authentication Mode: Origin-IP-Redirect or Origin-Cookie-Redirect (depending on each particular environment)