Set up IWA authentication using BCAAA for Edge SWG (Formerly ProxySG)
search cancel

Set up IWA authentication using BCAAA for Edge SWG (Formerly ProxySG)

book

Article ID: 166892

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

This article describes how to set up IWA authentication on Symantec Edge SWG (Formerly ProxySG) utilizing Blue Coat Authentication and Authorization Agent (BCAAA).

To set up IWA direct see Implement Integrated Windows Authentication (IWA) Direct authentication for ProxySG or Advanced Secure Gateway

Resolution

Prerequisites

  1. Make sure the version of the Blue Coat Authentication and Authorization Agent (BCAAA) is the correct version for your version of SGOS.  
  2. BCAAA must be installed on a Windows domain controller or a member server that is a part of a domain, or a workstation that is a part of a domain.  If BCAAA is not installed on a domain controller, the member server or workstation must be able to find resources, such as domain controllers, on the network.  BCAAA will not work properly for IWA authentication if it is not installed in a domain environment.  Please see the BCAAA release notes for full details.
  3. Transparent vs. Explicit proxy deployment:  Make sure you know how the proxy will be deployed.  The deployment is important to know so that when you are selecting authentication modes you select the proper one.


The installation will consist of three main parts.  They are as follows:

  1. Installing the BCAAA agent onto the Windows server.
  2. Configuring an IWA authentication realm.
  3. Setting up a policy to take advantage of authentication.


Step 1: Install BCAAA on a Windows server

  1. Check the BCAAA agent and make sure it is the correct version of BCAAA.  See https://support.broadcom.com to verify the correct BCAAA version for your version of SGOS. Remember that if you update SGOS on your ProxySG, you need to also update BCAAA.
  2. Install BCAAA onto a domain controller (PDC or BDC) or member server.
  3. When installing BCAAA, it will ask for a port number.  Port 16101 is the default port.  Make sure firewalls, intrusion detection devices (IDS), and other similar security devices allow this traffic to pass freely on the network.  If a port other than 16101 is used, make sure that other port number is not being used by a different application on the network.  Additionally, that other port needs to be allowed to pass any firewalls, IDS's and the like. 
  4. Set the number of listening threads for a connection.  99 is the maximum number of threads that can be allocated to listen to the port.  The default and recommended number is two.
  5. Certificate information/SSL.  To help simplify the installation, install without certificates or SSL.  That way if there are problems, you are not trying to troubleshoot if this is an SSL/certificate issue, or is this a BCAAA issue.  Later on if you decide to enable SSL communications between the ProxySG and BCAAA and there are problems, then you can work on fixing the SSL/certificate issues.
  6. Accept the configuration and complete the install.


Troubleshooting steps:

  • Make sure the BCAAA version is correct for the version of SGOS you are running.
  • Make sure the BCAAA service is running. 
  • Check if a firewall is running.  If so, disable the firewall, or allow traffic to and from TCP port 16101.
  • Check port configuration
  • Check certificates

Step 2: Proxy configuration steps

  1. Go to the Management Console (https://ProxySG-IP:8082/) on the Edge SWG (Formerly ProxySG).  Select the Configuration tab > Authentication > IWA.  Make sure you are on the "IWA Realms" tab.  Click on the "New" button to add an IWA realm.
  2. Create the new IWA realm with the following parameters:
    1. Realm name:  Some_name_significant_for_your_organization
    2. Primary server host:  This is the IP address or hostname of the server running the BCAAA agent.  The Edge SWG (Formerly ProxySG) must be able to resolve the hostname, if used.
    3. Port:  16101  (Port 16101 is the default port.  This port number needs to be the same that was configured in Step 1.3 When installing BCAAA, it will ask for a port number above.  Make sure all firewalls and so forth allow this traffic through from the ProxySG to the BCAAA agent server(s).)
    4. Click on the OK button to save your changes.  Next, click on the "Apply" button.
  3. Select the IWA Servers tab.  Look and make sure everything is correct.  If you wish to add an additional IWA server, you can add it here.  Make sure to click on the "Apply" button so the changes are committed to the Edge SWG (Formerly ProxySG).  NOTE:  For simplicity sake, avoid using SSL between the Edge SWG (Formerly ProxySG) and the BCAAA server.  Once IWA is working correctly, then you can come back and enable the SSL option if you desire.
  4. Select the IWA General tab.  Verify that the settings are correct.

Step 3: Policy configuration steps

In order for authentication to be enforced, policy needs to be created that makes the end users authenticate.  The following steps put the policy in place which will cause the ProxySG to authenticate connections going through it.  VERY IMPORTANT NOTE:  Not all applications (custom applications, music download clients, and so forth) know how to handle authentication requests made by the proxy.  Some devices and operating systems may also fall into that category.  Workstations that are not a part of the Windows domain may prompt the user for authentication.  (This may happen when non-domain workstations are connected to your network and they try to get out to the Internet.)  When these cases arise, it may be necessary to either bypass authentication for those applications, operating systems, and devices, or use some sort of substitute authentication policy.  See Enhanced Authentication Use Cases.  You may need a support.symantec.com username and password in order to obtain the above mentioned Tech Brief.

  1. Launch the Management Console by going to https://ProxySG-IP:8082/  and login.
  2. Click on the Configuration tab > Policy > Visual Policy Manager > Launch .
  3. Click on Policy > Add Web Authentication Layer... > (Give the layer a meaningful name) and click the OK button.
  4. In the "Action" column, right click and select Set > New > Authenticate.
    1. Name:  Give it a meaningful name.
    2. Realm:  Use the IWA realm name that was created earlier.
    3. For "Mode", you can select "Auto".  See Selecting the right Authentication mode for your Edge SWG (Formerly ProxySG)deployment for additional details.
    4. Click on the OK button twice.
    5. NOTE:  If your Proxy is already in production and you are adding IWA authentication, you may want to test the new authentication policy by defining the "Source" column with the IP address of a test workstation or a test subnet.  That way if there are authentication problems, they are only limited to your test workstations and not your entire network.  Once you have tested authentication and you feel confident, then you can remove that restriction.  As previously mentioned, there may be some applications that are not authentication friendly.  You can create a policy that allows those applications to not authenticate, while all the other requests are allowed to authenticate.  See Bypassing Edge SWG (Formerly ProxySG)authentication for some examples.
  5. With the web authentication layer installed, you will need to create a rule that allows authenticated users out.  So create a new rule in your web access layer.
  6. Right click in the Source column and select Set.  Then select Authenticated User in the list and then click on the OK button.  NOTE:  If you are testing a particular IP address, you may need to create a combined source object where it will match with an authenticated user AND IP address.
  7. NOTE:  If your default policy is allow, you will want to block all your objectionable material before the rule that allows authenticated users out to the Internet.  You will also need to put any rules in place for applications, workstations, that can be allowed out without authentication before the authentication rule.
  8. Optional browse test:  If you want to test your connection to the BCAAA server, in the web access layer in the source column, right click and select Set > New > and select either User or Group.  For the "Authentication Realm", select your IWA realm.  Then click on the "Browse" button.  If everything is functioning as expected, then you should see your Active Directory tree.  If everything works as expected, just cancel out all the changes made.  If you were unable to browse the directory tree, then you need to troubleshoot why that does not function.
  9. Once everything looks good, click on the "Install Policy" button.
  10. Test.  Make sure you applications and web browsers work as expected.


NOTES:

  • If the workstation and user are in the same domain as the BCAAA agent, the user should not be prompted for authentication.  There are some exceptions, but generally, this is the rule.
  • If the workstation and the user are in a different domain than the BCAAA agent, then the user will get prompted for a username and password each time the web browser is opened.
  • For assistance setting up IWA authentication in a transparent deployment while intercepting SSL, see SSL Transparent Proxy Authentication using IWA.