Blue Coat Support Forum

[nmerker]

All,

I'm a new SG user. When attempting to configure transparent authentication via IWA for Firefox, I encountered an issue.

I was required to change the setting network.negotiate-auth.truted-uris to the virtualURL (webgateway) of the SG. Is there a way to configure my virtualURL, or the BC in general, so I will not have to change any Firefox settings?

I'd like users to be able to use a native Firefox install with no modifications and automatically authenticate to the device through IWA. Is this possible? I know SSO is an alternative, but I would rather not deploy this authentication schema unless I was forced to.

Currently, my IWA settings are:

VirtualURL: webgateway (resolves to the device for internal users)
Verify the IP address in the cookie
Challenge user after logout

I have two BCAAA clients configured and am allowing all credentials: Basic, NTLM, and Kerberos.

Thanks!

[nmerker]

I should add that IE authentication is working fine transparently and that Firefox works fine when I change the aforementioned setting.

In my Web Authentication layer in the VPM I have IWA set to 'auto' mode.

edit: I'm also using WCCP with GRE encapsulation, but I don't think this matters for my question.

[Tessian]

IWA works with Firefox out of the box... I and many others here use it that way. Actually, I've been told IWA is only supported by IE and Firefox.

[nmerker]

You were able to use IWA (without prompting the user for a username/password) out of the box without making any firefox modifications?

What are your virtual URL and Auth settings?

[spepi308]

Yes, it works fine for us.

So to make it clear you're getting a proxy prompt to the proxy when you go to say google? Just want to make sure it's not some default intranet site.

[nmerker]

Yeah,

The proxy authentication prompt shows up when going to any site.

When I change Firefox to have my virtual URL in the network.negotiate.* settings I referenced previously, the problem goes away.

[Tessian]

It worked out of box for me... Auto mode for authentication, and whatever the default URL is when you create a realm (cfauth.com??)

EDIT-- wait a second! I just noticed you said TRANSPARENT proxy! IWA is not designed for transparent proxy; only explicit proxy. So no, this won't work as you expect.

What we've done in that case is use IWA for explicit, and SSO for transparent. So if your source = proxy server, use IWA. Otherwise, use SSO. What sucks about that, though, is if you're doing user/group specific rules you'd have to enter them in twice, once for each realm. In my case, however, we expect all employees to be using the explicit proxy so SSO is just a failover for logging.

[nmerker]

Ah, thank you very much for the response.

For anyone curious, the following changes to C:\Program Files\Mozilla Firefox\greprefs\all.js will enable SPNEGO and also allow transparent IWA in Firefox:

pref("network.negotiate-auth.trusted-uris", "webgateway");
pref("network.negotiate-auth.delegation-uris", "webgateway");

"webgateway" in this case is my Virtual URL. IE7 requires the Virtual URL to not be a FQHN so the Virtual URL falls into the Intranet zone which allows transparent authentication by default.

You could use a FQHN (like webgateway.example.com) but you would have to alter your IE7 settings.