Showing results for 
Search instead for 
Did you mean: 

How to pass HTTP/407 through a transparent WSA

Level 1
Level 1

Hi all,

I have two S370 running in transparent mode and all the clients accessing port 80/TCP have to pass the proxy. Unfortunately we have a user who accesses remote libraries. Therefore he has to authenticate explicitly with a remote squid proxy which is listening on port 80/TCP.

The client sets port 80/TCP as his explicit proxy. WCCP between my router and the WSAs redirects traffic to the WSAs. However, as the user types in his browser the remote proxy answer "Authentication Failed". A wireshark capture shows that WSA blocks HTTP status 407 (Proxy Authentication required).

How can I configure WSA to pass the authentication request to the client?

PS: It is not an option to change the bypass settings.

4 Replies 4

Vance Kwan
Cisco Employee
Cisco Employee

A browser will never respond to an HTTP 407 response when there is no proxy setting configured.  I'm not too familiar with squid, but on the WSA, there is an option to force it to use 401 instead of 407 for explicit requests.  Maybe they have that option as well?  The WSA should pass along what the upstread (the Squid proxy) has sent it.


thanks for your answer. But I feel that you didn't get the point. The local WSA does not authenticate the user because we do not want the users to authentication due to data privacy law. But the remote proxy needs an authentication to verify that access to certain documents (magazines, papers, etc.) is allowed. The remote proxy answer the client request with HTTP status 407. But the client never gets an authentication prompt because WSA does not pass it to the client.

But this is what should be done.

The WSA should pass the 407 to the client.  Have you done a packet capture to confirm?

Nonetheless, the client will never respond to the 407 even if it receives it because it does not know of any upstream proxies.

I did a capture and I found the HTTP status 407 but the client did not get an authentication prompt.

However, you didn't read carefully because the client knows about the remote proxy. The user configured the remote proxy on his host and connects to the proxy. The local WSA is a transparent proxy and the client does not know about that one. But the remote proxy is an explicit one.