Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1493
Views
0
Helpful
3
Replies

WSA Authentication & redirect hostname doubts

J_Vansen_S
Level 3
Level 3

‎08-27-2013 12:57 AM

Hi all,

Our WSA is currently configured as using NTLM for authentication ie binding to our AD

Entire internal LAN/Subnets has to go thru authentication when surfing/going to the internet

I am having issue resolving hostname for machines who are not part of the domain

Scenario 1&2 is working fine, however Scenerio 3 is not acceptable.

Scenario1:- whichever machine signing in as AD User and is part of the domain: SINGLE SIGN ON (working)

Scenario2:- whichever machine part of domain but sign machine LOCALLY without AD: Prompt for AD username/password (working)

Scenario3:- Machine not part of domain does not know how to resolve WSA hostname(datawsa01) thus Internet does not work totally (unless we manually set each client pc to resolve wsa hostname)

What is the best practise for scenario 3? Given that all 1,2,3 scenarios are all sitting in the same subnet.

Please advise

Labels:
0 Helpful
3 Replies 3

Chris Illsley
Level 3
Level 3

‎08-27-2013 06:33 AM

Hi,

Are using explicit ot transparent proxy?  Assuming you are using explicit, you'd be best off either sorting out the DNS resolution for the proxy, however if you have no control over the local DNS you could just use the IP address rather than the name.

Thanks

Chris

0 Helpful

J_Vansen_S
Level 3
Level 3
In response to Chris Illsley

‎02-16-2014 07:38 PM

i am using transparent proxy,

So if i understand correct, you ar saying if id add DNS resolution to proxy it will work?

0 Helpful

Michael Hautekeete
Cisco Employee
Cisco Employee
In response to J_Vansen_S

‎02-17-2014 07:32 AM

Hello,

With regards to the comments from above, the clients will need to be able to resolve the redirect hostname configured on the WSA. (WebGUI > Network > Authentication > edit global settings > redirect hostname (for SSO has to be the short hostname)). If the client is not a member of your domain then it will likely require a local host entry in order to process the redirect for authenticaiton used by the WSA.

Hope this helps.

Best Regards,

Michael Hautekeete

Customer Support Engineer

Cisco Content Security - Web Security Appliance

http://www.cisco.com/en/US/products/ps11169/serv_group_home.html

https://supportforums.cisco.com/community/netpro/security/web

https://supportforums.cisco.com/community/feeds?community=2091

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents