search cancel

Allow Webex over browser for specific users authenticated using SAML through web isolation

book

Article ID: 256684

calendar_today

Updated On:

Products

Web Isolation Web Isolation Cloud

Issue/Introduction

How to allow Webex over browser for specific users authenticated using SAML through web isolation?

For example:

Only userA authenticated via SAML should be able to access Webex through browser via web isolation.

For rest of the users, Webex through browser via web isolation should be blocked

Environment

[Client]-----------[Web isolation proxy/TIE]------------[Internet]

Default rule for browsing has action Isolate

Default rule for Applications has action Pass

SAML authentication (Server Authentication) is setup on the web isolation proxy

Resolution

  • On the web isolation, the authentication is skipped for POST, PUT and OTHER methods
  • This can be checked by logging into the web isolation management and navigating to Policy and checking the Authentication setting

 

  • Client would send an http request using HTTP GET header for the initial request , when you type webex.com on the browser
  • Thereafter, for subsequent functions like signing in, scheduling or joining a meeting, client browser would send HTTP requests using HTTP POST and OPTION headers and SAML authentication is skipped for this
  • Here is an excerpt from the browser developer tool for webex functions via browser

  • Furthermore, SAML authentication (Server based authentication) does not work well for HTTP requests using POST/OPTIONS/Other methods and there could be connectivity issues. So it is not recommended to disable this under ‘Skip authentication settings’  For more details on authentication methods, refer here 
  • Hence to implement access control for webex via browser through web isolation, create the following rules 

1.      Source: SAML Userids, Destination: webex.com, Action: Pass

2.      Source: All Authentication users, Destination: webex.com, Request Header: OPTIONS/POST, Action: Pass

3.      Source: All Authentication users, Destination: webex.com, Action: Block

 

Additional Information

Important Notes:

  • This solution is applicable only for controlling access to webex via browser.
  • Webex application traffic should not be controlled on the web isolation as the application would not be able to handle SAML redirects
  • Action for webex should be set to Pass as the webex would not be able to handle the 403 block page and read the JS file sent by the web isolation proxy and establish web socket connection to TIE to fetch resources. Moreover the webex audio/video rendering/isolation would fail 

Attachments