Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1820
Views
0
Helpful
2
Replies

IronPort WSA S170 and Context directory agent

Go to solution
antonkim88
Level 1
Level 1

‎05-07-2014 08:43 PM

Hello people and experts,

 

I need your consultation regarding IronPort and CDA deployment.

I couldn't find any information in internet...

So my question is - if IronPort is AD domain member and Explicit forward proxy is planned to be used. Do I need CDA to be deployed? What will happen if I don't want to deploy CDA in my environment?

As I understood CDA is useful when IronPort works as Transparent Proxy or if IronPort is not a member of the same domaiin as users.

 

Please advise.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎05-16-2014 09:22 AM

The most useful part of CDA for us is that authentication happens before the user hits the WSA with a browser.  If you have apps that don't deal with authentication well, or at all, the CDA will catch the auth from the AD boxes, and pass it to the WSA at login time.

 

 

View solution in original post

0 Helpful

Go to solution
Vance Kwan
Cisco Employee
Cisco Employee

‎06-06-2014 01:30 AM

The CDA eliminates the need for NTLM authentication.  Once a user logs onto their computer in the morning and authenticates to the domain, the CDA will have received a successful audit event/log that informs it that user X is signed on to IP address X.  When the WSA needs to find out who is on this IP address, instead of using NTLM to challenge the client machine, it will ask the CDA who signed on this particular IP address.  Once it gets the user name, the WSA will proceed as usual and query the AD to determine the group membership of that particular user.

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Ken Stieers
VIP
VIP

‎05-16-2014 09:22 AM

The most useful part of CDA for us is that authentication happens before the user hits the WSA with a browser.  If you have apps that don't deal with authentication well, or at all, the CDA will catch the auth from the AD boxes, and pass it to the WSA at login time.

 

 

0 Helpful

Go to solution
Vance Kwan
Cisco Employee
Cisco Employee

‎06-06-2014 01:30 AM

The CDA eliminates the need for NTLM authentication.  Once a user logs onto their computer in the morning and authenticates to the domain, the CDA will have received a successful audit event/log that informs it that user X is signed on to IP address X.  When the WSA needs to find out who is on this IP address, instead of using NTLM to challenge the client machine, it will ask the CDA who signed on this particular IP address.  Once it gets the user name, the WSA will proceed as usual and query the AD to determine the group membership of that particular user.

 

0 Helpful
Customers Also Viewed These Support Documents