Recommended IWA Direct authentication policy on an Explicit Forward ProxySG
search cancel

Recommended IWA Direct authentication policy on an Explicit Forward ProxySG

book

Article ID: 176296

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

When authentication policy is configured on an Explicit ProxySG, very frequently the source is left as "Any".  This however, is guaranteed to cause issues, as there are many instances where an application does not have the proper access rights to be able to pull the Kerberos token or NTLM hash from the system to be able to forward it to the proxy.  When this happens, application frequently gets stuck in a loop, where it receives the 407 authentication prompt, connection is closed, application reattempts to access the URL, receives another 407 prompt, and the sequence continues.

In these cases Authentication must be bypassed for those applications.

Cause

Not every application has the ability / permissions to retrieve credentials from the system.

Resolution

In Explicit deployments, since the CONNECT must be sent to the proxy before the SSL handshake is done with the destination, the proxy is always able to detect the User-Agent header (if such a header exists) within either the CONNECT or GET request.  As such it is possible to deduce the application.

The primary purpose of the Authentication feature on the ProxySG is to monitor which user connects to which website, and since in most circumstances none is going to compile their own custom browser, a known list of User-Agents can be used to create authentication policy; in other words only browsers should be authenticated.

define condition KnownBrowsersAuth
    ;;Chrome
    request.header.User-Agent="Gecko\) Chrome/\d+(\.\d+)+ Safari/\d+(\.\d+)+$"
    ;;Firefox
    request.header.User-Agent="^Mozilla/\d+\..*Firefox/\d+\.\w+\.*\d*\.*\d*( \(\s*.NET CLR.*\)|)$"
    ;;Internet Explorer
    request.header.User-Agent="((?-i)MSIE [1-9]0?.\d+; Windows [^PC].*(\w\w-\w\w|P|T|U|;\s*|\d\w|\d(?     ;;Microsoft Edge
    request.header.User-Agent="^Mozilla/\d+\.0 \(Windows (Phone|NT).*\) AppleWebKit.*Chrome.*Safari.*Edge/\d+.*"
    ;;Netscape
    request.header.User-Agent="(^Mozilla/[234][^\(]*\([^c].*\)$)|(^Mozilla/5\.0[^\(]*\([^c].*Netscape[67]*/[6-9])|(^Mozilla/5\.0[^\(]*\([^c].*Navigator/9)"
    ;;Opera
    request.header.User-Agent="(^Opera[ /]\d+\..*)|(.*Opera[ /]\d+\.\d+( \[\w\w\])?$)"
    ;;Safari
    request.header.User-Agent="^Mozilla/[45]\.0 \((Windows|Macintosh|X11).*Version/\d+(\.\d+)* Safari/\d+(\.\d+)+$"
end condition KnownBrowsersAuth
 
<proxy>
;;If User-Agent is not a known browser, do not authenticate
condition=!KnownBrowsersAuth ssl.forward_proxy(no)