Blue Coat Systems Proxy SG authenticate.mode( )

Chapter 4: Property Reference

163

authenticate.mode( )

Using the authentication.mode( ) property selects a combination of challenge type and surrogate

credentials.

Challenge type is what kind of challenge (proxy, origin or origin-redirect) is issued.

Surrogate credentials are credentials accepted in place of the user’s real credentials. They are used for a

variety of reasons. Blue Coat supports three kinds of surrogate credentials.

•IP surrogate credentials authenticate the user based on the IP address of the client. Once any client

has been successfully authenticated, all future requests from that IP address are assumed to be

from the same user.

•Cookie surrogate credentials use a cookie constructed by the ProxySG as a surrogate. The cookie

contains information about the user, so multiple users from the same IP address can be

distinguished. The cookie contains a temporary password to authenticate the cookie; this

password expires when the credential cache entry expires.

•Connection surrogate credentials use the TCP/IP connection to authenticate the user. Once

authentication is successful, the connection is marked authenticated and all future requests on that

connection are considered to be from the same user.

In SGOS 3.1.x, the connection’s authentication information includes the realm in which it was

authenticated. The surrogate credentials are accepted only if the current transaction’s realm matches

the realm in which the session was authenticated.

Syntax

authenticate.mode(mode_type)

where mode_type is one of the following, shown followed by the implied challenge type and surrogate

credential:

•auto—Allows the ProxySG to make a best effort to determine a suitable authentication

mechanism for the transaction. For streaming transactions, authenticate.mode(auto) uses

origin mode.

•legacy—The default for systems upgraded from SGOS 2.x.

•proxy (proxy/connection)—Specifies a normal forward proxy. In some situations proxy challenges

will not work; origin challenges are then issued.

•proxy-ip (proxy/IP)—Specifies an insecure forward proxy, possibly suitable for LANs of

single-user workstations. Mode switching occurs as for proxy.

•origin (origin/connection)—Acts as a normal Web server. In this case, no forwarding of

credentials is needed.

•origin-ip (origin/IP)—Used to support NTLM authentication to the upstream device, and the

client cannot handle cookie credentials. This mode is primarily used for automatic downgrading,

but it can be selected for specific situations.

This mode is insecure: after a user has authenticated from an IP address, all further requests from

that IP address are treated as from that user. If the client is behind a NAT, or on a multi-user

system, this can present a serious security problem.