ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Skipping Authentication when Egress IP Was Authenticated

book

Article ID: 173102

calendar_today

Updated On:

Products

Web Isolation

Issue/Introduction

Server Authentication Mode

Challenges

When a proxy resides in the cloud, it cannot communicate directly with an authentication server that resides in the LAN. In such cases, SAML authentication is used instead. Since SAML was designed for websites and not for forward proxies, forward proxies in the cloud face significant challenges where it comes to authentication.

Symantec Web Isolation manages user and domain information for SAML authentication through its virtual domain, called Service Provider (SP), which typically resides on an isolation gateway. When the end user browses a website, Web Isolation checks if this user has already been authenticated for that website’s domain. If the authentication data is not found, the user will be redirected to the Service Provider to complete the authentication flow. Therefore, redirect is a must for the successful completion of the authentication flow. If redirect cannot be done, authentication is likely to fail, resulting in connectivity issues for Bypass and Inspect actions. (This is not relevant for isolated web traffic.) Connectivity issues can also be experienced by websites that apply Content-Security-Policy*, such as Facebook.com, which typically prevent redirecting to SP.

Addressing Connectivity Issues

To address the connectivity issues associated with cloud authentication in Server Authentication mode, Symantec Web Isolation offers a solution that does not require an additional client to be installed on the endpoints. Instead, Symantec Web Isolation allows authentication to be skipped when the source egress IP address has already been authenticated within the configured authentication caching timeout, thereby solving any redirect issues in the case of server authentication.

Since the system learns the authenticated IP addresses dynamically, connectivity issues are avoided for roaming users. For proxied traffic, the Server Authentication mode identifies resources in a best-effort manner: All top-level network requests will be authenticated, while some sub-resources will meet the criteria for skipping authentication so that there, too, connectivity issues will be avoided.

Impact

All authentication data is reported to the Activity Log. Note that the Activity Log displays the user name only if a specific Access Role or “All authenticated users” was specified in the matched rule’s User field (see section ‎5.2.7). The Activity Log displays “Generic User” instead of the user name when user authentication was skipped for unauthenticated requests. In this case, rules with a specific Access Role were skipped during matching.

* For more information, see the Wikipedia description of Content-Security-Policy at: https://en.wikipedia.org/wiki/Content_Security_Policy.

To address this issue go to Server Authentication Mode in the Solution section, below.

Proxy Authentication Mode

Challenge

Some applications do not support Proxy authentication. To avoid connectivity issues in such cases, you could add specific rules without an Access Role assignment (“Any” in the User field) to the rule base and place them at the top of the rules’ order. However, Symantec Web Isolation offers an alternative option that does not require you to do so.

Addressing Connectivity Issues

Symantec Web Isolation allows authentication to be skipped when the source egress IP address has already been authenticated within the configured authentication caching timeout. By skipping authentication for URLs of applications that do not support Proxy authentication, the policy remains the same and no rules need to be added to the rule base. The policy can be edited to include criteria for skipping authentication. When these criteria are matched and the source egress IP address was authenticated previously, the user is considered trusted and authentication will be skipped.

Impact

All authentication data is reported to the Activity Log. Note that the Activity Log displays the user name only if a specific Access Role or “All authenticated users” was specified in the matched rule’s User field. The Activity Log displays “Generic User” instead of the user name when user authentication was skipped for unauthenticated requests. In this case, rules with a specific Access Role were skipped during matching.

To address this issue go to Proxy Authentication Mode in the Solution section, below.

Resolution

Server Authentication Mode

Editing the Policy to Skip Authentication

  1. Click Settings. The Server Mode Authentication Settings dialog opens.
  2. Select the criteria that must be matched to skip authentication, as described in the following table (by default, all criteria are selected).

Criteria

Description

Request Criteria

Methods

  • POST and PUT

Check to skip authentication when POST and PUT requests methods are identified

  • Other

Check to skip authentication when HTTPS request methods are identified, except GET, CONNECT, POST and PUT

Header

  • Origin

Check to skip authentication when the request has an HTTP header named Origin (for example, Cross-Origin ajax)

FTP

 Check to skip authentication when the scheme is FTP

Destination URLs

  • Use a customized list of URLs

Check to skip authentication when URLs are identified that are specified in the customized Skip Authentication list

Response Header Modification

Add Service Provider and Identity Provider to Content-Security-Policy header

  • Symantec Web Isolation will add a Service Provider (SP) or SAML Identity Provider (IdP), in case of a SAML host, to the CSP response header.
  1. Click Update.

Authentication Caching

Authentication caching is done according to the settings in the Policy > Authentication Caching tab. The settings selected in the Authentication Caching tab (shown in the image below) determine which of the following settings in System Configuration > Advanced Configuration Settings will be effective:

  • asyncServices.applicationAuthenticationCacheTimeoutSpecificUsername –– Effective when “Using the last identity learned from the source IP” was selected.
  • asyncServices.applicationAuthenticationCacheTimeoutGenericUsername –– Effective when “Without identity (for example, when users are behind a NAT device)” was selected (“Generic User”).

Proxy Authentication Mode

Editing the Policy to Skip Authentication

  1. Click Settings. The Proxy Mode Authentication Settings dialog opens.
  2. Select the criteria that must be matched to skip authentication, as described in the following table (by default, all criteria are selected).

Criteria

Description

Request Criteria

Destination URLs

  • Use a customized list of URLs

Check to skip authentication when URLs are identified that are specified in the customized Skip Authentication list

  1. Click Update.

Authentication Caching

Authentication caching is done according to the settings in the Policy > Authentication Caching tab.

The settings selected in the Authentication Caching section determine which of the following settings in System Configuration > Advanced Configuration Settings will be effective:

  • asyncServices.applicationAuthenticationCacheTimeoutSpecificUsername –– Effective when “Using the last identity learned from the source IP” was selected.
  • asyncServices.applicationAuthenticationCacheTimeoutGenericUsername –– Effective when “Without identity (for example, when users are behind a NAT device)” was selected (“Generic User”).

Attachments