Recommended IWA Direct authentication policy on an Explicit Forward ProxySG
search cancel

Recommended IWA Direct authentication policy on an Explicit Forward ProxySG


Article ID: 176296


Updated On:


Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


When authentication policy is configured on an Explicit ProxySG, very frequently the source is left as "Any".  This however, is guaranteed to cause issues, as there are many instances where an application does not have the right access rights to be able to pull the Kerberos token or NTLM hash from the system to be able to forward it to the proxy.  When this happens, application frequently gets stuck in a loop, where it receives the 407 authentication prompt, connection is closed, application reattempts to access the URL, receives another 407 prompt, and the sequence continues.

In these cases Authentication must be bypassed for those applications.


Not every application has the ability / permissions to retrieve credentials from the system.


In Explicit deployments, since the CONNECT must be sent to the proxy before the SSL handshake is done with the destination, the proxy is always able to detect the User-Agent header (if such a header exists) within either the CONNECT or GET request.  As such it is possible to deduce the application.

The primary purpose of the Authentication feature on the ProxySG is to monitor which user connects to which website, and since in most circumstances none is going to compile their own custom browser, a known list of User-Agents can be used to create authentication policy; in other words only browsers should be authenticated.

define condition KnownBrowsersAuth
    request.header.User-Agent="Gecko\) Chrome/\d+(\.\d+)+ Safari/\d+(\.\d+)+$"
    request.header.User-Agent="^Mozilla/\d+\..*Firefox/\d+\.\w+\.*\d*\.*\d*( \(\s*.NET CLR.*\)|)$"
    ;;Internet Explorer
    request.header.User-Agent="((?-i)MSIE [1-9]0?.\d+; Windows [^PC].*(\w\w-\w\w|P|T|U|;\s*|\d\w|\d(?     ;;Microsoft Edge
    request.header.User-Agent="^Mozilla/\d+\.0 \(Windows (Phone|NT).*\) AppleWebKit.*Chrome.*Safari.*Edge/\d+.*"
    request.header.User-Agent="(^Opera[ /]\d+\..*)|(.*Opera[ /]\d+\.\d+( \[\w\w\])?$)"
    request.header.User-Agent="^Mozilla/[45]\.0 \((Windows|Macintosh|X11).*Version/\d+(\.\d+)* Safari/\d+(\.\d+)+$"
end condition KnownBrowsersAuth
;;If User-Agent is not a known browser, do not authenticate
condition=!KnownBrowsersAuth ssl.forward_proxy(no)