Blue Coat Systems Proxy SG manual Authenticate.mode

Chapter 4: Property Reference

authenticate.mode( )

Using the authentication.mode( ) property selects a combination of challenge type and surrogate credentials.

Challenge type is what kind of challenge (proxy, origin or origin-redirect) is issued.

Surrogate credentials are credentials accepted in place of the user’s real credentials. They are used for a variety of reasons. Blue Coat supports three kinds of surrogate credentials.

•IP surrogate credentials authenticate the user based on the IP address of the client. Once any client has been successfully authenticated, all future requests from that IP address are assumed to be from the same user.

•Cookie surrogate credentials use a cookie constructed by the ProxySG as a surrogate. The cookie contains information about the user, so multiple users from the same IP address can be distinguished. The cookie contains a temporary password to authenticate the cookie; this password expires when the credential cache entry expires.

•Connection surrogate credentials use the TCP/IP connection to authenticate the user. Once authentication is successful, the connection is marked authenticated and all future requests on that connection are considered to be from the same user.

In SGOS 3.1.x, the connection’s authentication information includes the realm in which it was authenticated. The surrogate credentials are accepted only if the current transaction’s realm matches the realm in which the session was authenticated.

Syntax

authenticate.mode(mode_type)

where mode_type is one of the following, shown followed by the implied challenge type and surrogate credential:

•auto—Allows the ProxySG to make a best effort to determine a suitable authentication mechanism for the transaction. For streaming transactions, authenticate.mode(auto) uses origin mode.

•legacy—The default for systems upgraded from SGOS 2.x.

•proxy (proxy/connection)—Specifies a normal forward proxy. In some situations proxy challenges will not work; origin challenges are then issued.

•proxy-ip(proxy/IP)—Specifies an insecure forward proxy, possibly suitable for LANs of single-user workstations. Mode switching occurs as for proxy.

•origin (origin/connection)—Acts as a normal Web server. In this case, no forwarding of credentials is needed.

•origin-ip(origin/IP)—Used to support NTLM authentication to the upstream device, and the client cannot handle cookie credentials. This mode is primarily used for automatic downgrading, but it can be selected for specific situations.

This mode is insecure: after a user has authenticated from an IP address, all further requests from that IP address are treated as from that user. If the client is behind a NAT, or on a multi-user system, this can present a serious security problem.

163