For security reasons, the ProxySG appliance will strip authorization credentials provided by the client that are intended for the OCS. This is done by default when the connection is secured via SSL, the proxy is intercepting SSL, and proxy authorization is required. In this case, the proxy will remove the authorization header to avoid leaking credentials that may have been intended for another authentication realm or a downstream proxy.
To configure the proxy to always send the
Proxy-Authorization headers upstream to the OCS, use the following command (available in 18.104.22.168 and later):
ProxySG#(config)security force-credential-forwarding enable ok
This setting can be used in both explicit and transparent modes.
Note: Use this feature with caution. It is a global setting that causes the proxy to send all authorization headers upstream; unless there is a device upstream to strip these headers before the request leaves the network, user credential information will be sent to the internet for internet bound requests.
To forward the headers to specific servers only, Symantec recommends using the
authenticate.forward_credentials() CPL property (available in 22.214.171.124 and later). Refer to the Content Policy Language Reference for details.