Allow ProxySG to always forward server authorization upstream
Last Updated August 01, 2017
For security reasons, the ProxySG appliance will strip authorization credentials provided by the client that are intended for the OCS. This is done by default when the connection is secured via SSL, the proxy is intercepting SSL, and proxy authorization is required. In this case, the proxy will remove the authorization header to avoid leaking credentials that may have been intended for another authentication realm or a downstream proxy.
To configure the proxy to always send the Authorization and Proxy-Authorization headers upstream to the OCS, use the following command (available in 126.96.36.199 and later):
ProxySG#(config)security force-credential-forwarding enable
This setting can be used in both explicit and transparent modes.
Note: Use this feature with caution. It is a global setting that causes the proxy to send all authorization headers upstream; unless there is a device upstream to strip these headers before the request leaves the network, user credential information will be sent to the internet for internet bound requests.
To forward the headers to specific servers only, Symantec recommends using the authenticate.forward_credentials() CPL property (available in 188.8.131.52 and later). Refer to the Content Policy Language Reference for details.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe