An application is not working with authentication on ProxySG or ASG
search cancel

An application is not working with authentication on ProxySG or ASG

book

Article ID: 165976

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

A certain application is not working with authentication on ProxySG or Advanced Secure Gateway (ASG), or:

  • How to bypass authentication by user agent on ProxySG.
  • How to get an application to bypass authentication without removing authentication for all applications.

Resolution

Many web applications have a user agent. For example, Internet Explorer may have a user agent of:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; )

ProxySG and Advanced Secure Gateway (ASG) contain a list of pre-defined user agents. However, user agents that are not in that list can also be matched.

For help finding user agents, search online for a particular application. A packet capture can also be taken to look at the HTTP requests to find the user agent. Additional resources about user agents include:

Bypassing authentication when the user-agent is predefined

  1. Log in to the ProxySG Management Console (https://:8082/).
  2. Click the Configuration tab, and navigate to Policy > Visual Policy Manager > Launch.
  3. In a Web Authentication Layer, add a new rule above the authentication rule that is prompting for user authentication.
  4. Right-click the Source column, and select Set > New > User Agent.
    A list of pre-defined user agents appears.
  5. Check each desired User Agent.
  6. Give the User Agent list a meaningful name, such as "BypassAuthUserAgent".
  7. Click OK, and click OK again.
    "BypassAuthUserAgent" appears in the Source field.
  8. Right-click the Action column, and select Set > Do Not Authenticate.
  9. Click OK.

    Note:  Depending on the version of SGOS, "Do Not Authenticate (Forward Credentials) may be seen.  Depending on how ProxySG or ASG behavior, "Do Not Authenticate (Forward Credentials) instead of the plain "Do Not Authenticate" may need to be used.
     
  10. In the Visual Policy Manager, click on Web Access Layer.
  11. Add a rule and place it below any Deny rules (rules that block objectionable material) but above the rule that has "Authenticated User" as the Source and "Allow" as the Action.

    Note: The rule may need to be placed elsewhere in the list of rules. Just remember that some applications allow spoofing the user agent. A best practice is to place the unauthenticated or Allow rule below the Deny rules, so that a user doesn't get a free pass to objectionable content.
     
  12. Select the same Source created in the earlier step; in this example, it's "BypassAuthUserAgent".
  13. In the Action column, select Allow.
  14. Click Install Policy.
  15. Test the new rules to ensure that they work.

How this works

The rule in the Web Authentication Layer says, "Specified user agent(s) will not be authenticated."  The rule in the Web Access Layer allows that unauthenticated user access to the web.

WARNING: Always use caution on rule placement!

Bypass authentication when the user-agent is not unique to the application

  1. Log in to the ProxySG Management Console (https://<ip.address.of.proxysg>:8082/).
  2. Click the Configuration tab, and navigate to Policy > Visual Policy Manager > Launch.
  3. In the Web Authentication Layer, add a new rule above the authentication rule that is prompting for user authentication.
  4. Right-click the Source column, and select Set > New > Request Header.
    The Add Request Header Object box appears.
  5. Give the object a meaningful name, such as "BypassAuthUserAgent".
    • For "Header Name:," select "User-Agent".
    • For "Header Regex:," place the correct user agent information here. For example, to bypass authentication for Internet Explorer 8, use the following

      Mozilla/4.0 \(compatible; MSIE 8.0
       
  6. Right-click the Action column, and select Set > Do Not Authenticate.

    Note: Depending on the version of SGOS running, "Do Not Authenticate (Forward Credentials)" may be seen. Depending on ProxySG or ASG behavior, "Do Not Authenticate (Forward Credentials)" instead of the plain "Do Not Authenticate" may need to be used.
     
  7. Click OK.
  8. In the Visual Policy Manager, click on Web Access Layer.
  9. Add a rule and place it below any Deny rules (rules that block objectionable material) but above the rule that has "Authenticated User" as the Source and "Allow" as the Action.

    Note: The rule may need to be placed elsewhere in the list of rules. Just remember that some applications allow spoofing the user agent. A best practice is to place the unauthenticated or Allow rule below the Deny rules so that a user doesn't get a free pass to objectionable content.
     
  10. Select the same Source created in the earlier step; in this example, it's "BypassAuthUserAgent".
  11. In the Action column, select Allow.
  12. Click Install Policy.
  13. Test the new rules to ensure that they work.
Powered by Wolken Software