Professional Documents
Culture Documents
Blue Coat Authentication Webcast Final
Blue Coat Authentication Webcast Final
SCOTT KIESTER
Authentication Architect
April 2014
Credentials
• SG credential cache
• Credential types (Basic, NTLM, Kerberos, etc.)
• Surrogate credentials
– What are they and why use them?
Authentication modes
• Virtual URL
IWA
• Realms: IWA-Direct / IWA-BCAAA
• Joining an Active Directory domain
• Group authorization
IWA / NTLM
• How it works
• Potential scalability problems and solutions
– New IWA-Direct features in SGOS 6.5.2
IWA / Kerberos
• How it works
• Why it scales well
• Configuration in IWA-BCAAA and IWA-Direct
Explicit Proxy
• The SG issues proxy challenges (HTTP 407)
• Browser may initiate 10 or more concurrent connections to the proxy
server
– The SG must authenticate every connection
• SSL connections start with an HTTP CONNECT message
Transparent Proxy
• The SG issues origin-style challenges (HTTP 401)
Authentication Modes
• Proxy-IP, [origin|form]-IP, [origin|form]-IP-redirect
SG checks client IP against authentication cache
Advantages
• Fast, scales well
• Useful for authenticating non-intercepted SSL connections, or apps
that don’t support authentication
Disadvantages
• Insecure
• Will not work for multi-user systems (Citrix) or clients behind a NAT
device
On the DC:
• Controls the number of threads in the Netlogon service that process
NTLM requests
Also must increase “NumThreads=“ parameter in bcaaa.ini
• Value impacts all realms – don’t set it too high
• BCAAA won’t use all of the Schannel connections unless
NumThreads is increased
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 38
MAX CONCURRENT API
(IWA-BCAAA)
Transparent mode:
• Same as explicit mode, but authentication challenge is issued from
the realm’s virtual URL
• In the example on the previous slide, virtual URL would be
sg.example.com
Must specify a hostname
• …for the proxy server in explicit mode
• …for the virtual URL in transparent mode
• Will not work if you specify an IP address