Chaining Content Gateway with other proxies
Applies to: | In this topic |
---|---|
|
|
Blue Coat ProxySG
You can configure the Blue Coat proxy to send X-Forwarded-For and X-Authenticated-User headers for Content Gateway to read either by manually editing a policy text file or defining the policy in a Blue Coat graphical interface called Visual Policy Manager.
Note that for Blue Coat to service HTTPS requests properly with the following setup, you must have a Blue Coat SSL license and hardware card.
Editing the local policy file
<Proxy>
action.Add[header name for authenticated user](yes)
define action dd[header name for authenticated user]
set(request.x_header.X-Authenticated-User, "WinNT://$(user.domain)/$(user.name)")
end action Add[header name for authenticated user]
action.Add[header name for client IP](yes)
define action dd[header name for client IP]
set(request.x_header.X-Forwarded-For,$(x-client-address))
end action Add[header name for client IP]
Using the Blue Coat graphical Visual Policy Manager
Before you configure the Blue Coat header policy, ensure that NTLM authentication is specified in the Blue Coat Visual Policy Manager (
). Set Content Gateway as the forwarding host (in the Blue Coat Management Console Configuration tab, ).- In the Policy menu, select Add Web Access Layer and enter an appropriate policy name in the Add New Layer dialog box.
- Select the Web Access Layer tab that is created.
- The Source, Destination, Service, and Time column entries should be Any (the default).
- Right-click the area in the Action column, and select Set.
- Click New in the Set Action Object dialog box and select Control Request Header from the menu.
- In the Add Control Request Header Object dialog box, enter a name for the client IP Action object in the Name entry field.
- Enter X-Forwarded-For in the Header Name entry field.
- Select the Set value radio button and enter the following value:
$(x-client-address)
- Click OK.
- Click New and select Control Request Header again.
- In the Add Control Request Header Object dialog box, enter a name for the authenticated user information Action object in the Name entry field.
- Enter X-Authenticated-User in the Header Name entry field.
- Select the Set value radio button and enter the following value:
WinNT://$(user.domain)/$(user.name)
- Click OK
- Click New and select Combined Action Object from the menu.
- In the Add Combined Action Object dialog box, enter a name for a proxy chain header in the Name entry field.
- In the left pane, select the previously created control request headers and click Add.
- Select the combined action item in the Set Action Object dialog box and click OK.
- Click Install Policy in the Blue Coat Visual Policy Manager.
Microsoft Forefront Threat Management Gateway (TMG)
Microsoft Forefront TMG can be used as a downstream proxy from Content Gateway via a plug-in from Forcepoint. This plug-in allows Content Gateway to read the X-Forwarded-For and X-Authenticated-User headers sent by the downstream Forefront TMG.
- Navigate to forcepoint.com and click My Account to log in.
- Select the Downloads tab.
- Select Forcepoint Web Security from the Product drop-down list.
- In the list, expand TMG 64-bit plugin... to see the download details. Click the download link to start the download.
- Unzip the package and copy the following files to the Forefront TMG installation directory:
- Websense-AuthForward.dll
- msvcp110.dll
- msvcr110.dll
- Register the plug-in with the system. Open a Windows command prompt and change directory to the Forefront TMG installation directory.From the command prompt, type:
regsvr32 Websense-AuthForward.dll
- Verify the plug-in was registered in the Forefront TMG management user interface (Add-ins, then click the Web-filter tab. The WsAuthForward plug-in should be listed. . In the System section, select
regsvr32 /u Websense-AuthForward.dll