05-07-2014 08:43 PM
Hello people and experts,
I need your consultation regarding IronPort and CDA deployment.
I couldn't find any information in internet...
So my question is - if IronPort is AD domain member and Explicit forward proxy is planned to be used. Do I need CDA to be deployed? What will happen if I don't want to deploy CDA in my environment?
As I understood CDA is useful when IronPort works as Transparent Proxy or if IronPort is not a member of the same domaiin as users.
Please advise.
Solved! Go to Solution.
05-16-2014 09:22 AM
The most useful part of CDA for us is that authentication happens before the user hits the WSA with a browser. If you have apps that don't deal with authentication well, or at all, the CDA will catch the auth from the AD boxes, and pass it to the WSA at login time.
06-06-2014 01:30 AM
The CDA eliminates the need for NTLM authentication. Once a user logs onto their computer in the morning and authenticates to the domain, the CDA will have received a successful audit event/log that informs it that user X is signed on to IP address X. When the WSA needs to find out who is on this IP address, instead of using NTLM to challenge the client machine, it will ask the CDA who signed on this particular IP address. Once it gets the user name, the WSA will proceed as usual and query the AD to determine the group membership of that particular user.
05-16-2014 09:22 AM
The most useful part of CDA for us is that authentication happens before the user hits the WSA with a browser. If you have apps that don't deal with authentication well, or at all, the CDA will catch the auth from the AD boxes, and pass it to the WSA at login time.
06-06-2014 01:30 AM
The CDA eliminates the need for NTLM authentication. Once a user logs onto their computer in the morning and authenticates to the domain, the CDA will have received a successful audit event/log that informs it that user X is signed on to IP address X. When the WSA needs to find out who is on this IP address, instead of using NTLM to challenge the client machine, it will ask the CDA who signed on this particular IP address. Once it gets the user name, the WSA will proceed as usual and query the AD to determine the group membership of that particular user.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide