Solutions

What should the Virtual URL be in transparent authentication on the ProxySG?

Solutions ID:    KB3448
Version:    3.0
Status:    Published
Published date:    09/24/2009
Updated:    09/08/2011
 

Problem Description

What should the Virtual URL be in transparent authentication on the ProxySG?
The default virtual URL is www.cfauth.com/ .
Can I change the default URL?
If I can change the default URL, what should the URL be?
My authentication mode is of the origin-redirect or origin-*-redirect mode

Resolution

If you are trying to implement some sort of silent authentication (no pop-up box) in a transparent proxy deployment with an origin-*-redirect authentication mode, you will need to change the Virtual URL from www.cfauth.com/ to a hostname that is interally resolvable, such as http://proxysg  .  NOTE:  Because of a browser design, if there is a period in the host name (something.something), the browser may think the proxy exists in the internet zone instead of the intranet zone and it will not pass credentials to the proxy.  So a single host name with no dots will be required.  A DNS entry or workstation hosts file needs to be configured so whatever name you place in the virtual URL can be resolved to the IP address of the ProxySG in your environment.

Here are the steps to make the changes on your ProxySG:

  1. Login to the Management Console ( https://<ip.address.of.proxysg>:8082/ ).  Go to the Configuration tab > Authentication > {Select your authentication type, such as IWA, Windows SSO, and so forth}.
  2. Click on the last tab, which will be <authentication type> General.  Some examples are "IWA General", or "Windows SSO General".
  3. There is a "Virtual URL" setting on the General tab.  By default, the virtual URL is set to www.cfauth.com/ .  Change this to http://<some-host-name-resolvable-on-your-network> .  Some examples are http://proxysg or http://myproxy or http://bluecoat and so forth.  NOTE:  Whatever name you select here must be resolvable to the IP address of the ProxySG.  If not, this new virtual URL name will not work.
  4. Click on Apply to save your changes.
  5. Test and make sure it all works as expected.

 

NOTE:  The ProxySG must have the explicit proxy service enabled on port 80 for this to work properly.

TROUBLESHOOTING:

  1. Make sure you can ping the hostname, whatever you choose, from the command line.
  2. Make sure there are no dots (.) in the virtual URL name.
  3. Make sure the ProxySG has the explicit proxy service enabled on port 80.
  4. Take a packet capture (pcap) and make sure the ProxySG is redirecting to the virtual URL and that the virtual URL is being resolved to the IP address of the ProxySG.

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question