Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2617
Views
0
Helpful
4
Replies

How to pass HTTP/407 through a transparent WSA

e.gruenter
Level 1
Level 1

‎11-21-2013 01:53 AM

Hi all,

I have two S370 running in transparent mode and all the clients accessing port 80/TCP have to pass the proxy. Unfortunately we have a user who accesses remote libraries. Therefore he has to authenticate explicitly with a remote squid proxy which is listening on port 80/TCP.

The client sets some-proxy.example.com port 80/TCP as his explicit proxy. WCCP between my router and the WSAs redirects traffic to the WSAs. However, as the user types www.goggle.com in his browser the remote proxy answer "Authentication Failed". A wireshark capture shows that WSA blocks HTTP status 407 (Proxy Authentication required).

How can I configure WSA to pass the authentication request to the client?

PS: It is not an option to change the bypass settings.

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Vance Kwan
Cisco Employee
Cisco Employee

‎11-21-2013 02:01 AM

A browser will never respond to an HTTP 407 response when there is no proxy setting configured.  I'm not too familiar with squid, but on the WSA, there is an option to force it to use 401 instead of 407 for explicit requests.  Maybe they have that option as well?  The WSA should pass along what the upstread (the Squid proxy) has sent it.

0 Helpful

e.gruenter
Level 1
Level 1
In response to Vance Kwan

‎11-21-2013 02:10 AM

Vance,

thanks for your answer. But I feel that you didn't get the point. The local WSA does not authenticate the user because we do not want the users to authentication due to data privacy law. But the remote proxy needs an authentication to verify that access to certain documents (magazines, papers, etc.) is allowed. The remote proxy answer the client request with HTTP status 407. But the client never gets an authentication prompt because WSA does not pass it to the client.

But this is what should be done.

0 Helpful

Vance Kwan
Cisco Employee
Cisco Employee
In response to e.gruenter

‎11-21-2013 02:17 AM

The WSA should pass the 407 to the client.  Have you done a packet capture to confirm?

Nonetheless, the client will never respond to the 407 even if it receives it because it does not know of any upstream proxies.

0 Helpful

e.gruenter
Level 1
Level 1
In response to Vance Kwan

‎11-21-2013 04:53 AM

I did a capture and I found the HTTP status 407 but the client did not get an authentication prompt.

However, you didn't read carefully because the client knows about the remote proxy. The user configured the remote proxy on his host and connects to the proxy. The local WSA is a transparent proxy and the client does not know about that one. But the remote proxy is an explicit one.

Thanks,

Egon

0 Helpful
Customers Also Viewed These Support Documents