Chaining Content Gateway with other proxies

Applies to: In this topic
  • Forcepoint Web Security, v8.5.x
  • In a proxy chain
  • Microsoft Forefront Threat Management Gateway (TMG)

Blue Coat ProxySG

You can configure the Blue Coat proxy to send X-Forwarded-For and X-Authenticated-User headers for Content Gateway to read either by manually editing a policy text file or defining the policy in a Blue Coat graphical interface called Visual Policy Manager.

Note that for Blue Coat to service HTTPS requests properly with the following setup, you must have a Blue Coat SSL license and hardware card.

Editing the local policy file

In the Blue Coat Management Console Configuration tab, click Policy in the left column and select Policy Files. Enter the following code in the current policy text file, using an Install Policy option:
<Proxy>
action.Add[header name for authenticated user](yes)
 
define action dd[header name for authenticated user]
set(request.x_header.X-Authenticated-User, "WinNT://$(user.domain)/$(user.name)")
end action Add[header name for authenticated user]
 
action.Add[header name for client IP](yes)
 
define action dd[header name for client IP]
set(request.x_header.X-Forwarded-For,$(x-client-address))
end action Add[header name for client IP]

Using the Blue Coat graphical Visual Policy Manager

Before you configure the Blue Coat header policy, ensure that NTLM authentication is specified in the Blue Coat Visual Policy Manager (Authentication > Windows SSO). Set Content Gateway as the forwarding host (in the Blue Coat Management Console Configuration tab, Forwarding > Forwarding Hosts).

In the Blue Coat Management Console Configuration tab, click Policyand select Visual Policy Manager. Click Launch and configure the header policy as follows:
  1. In the Policy menu, select Add Web Access Layer and enter an appropriate policy name in the Add New Layer dialog box.
  2. Select the Web Access Layer tab that is created.
  3. The Source, Destination, Service, and Time column entries should be Any (the default).
  4. Right-click the area in the Action column, and select Set.
  5. Click New in the Set Action Object dialog box and select Control Request Header from the menu.
  6. In the Add Control Request Header Object dialog box, enter a name for the client IP Action object in the Name entry field.
  7. Enter X-Forwarded-For in the Header Name entry field.
  8. Select the Set value radio button and enter the following value:
    $(x-client-address)
  9. Click OK.
  10. Click New and select Control Request Header again.
  11. In the Add Control Request Header Object dialog box, enter a name for the authenticated user information Action object in the Name entry field.
  12. Enter X-Authenticated-User in the Header Name entry field.
  13. Select the Set value radio button and enter the following value:
    WinNT://$(user.domain)/$(user.name)
  14. Click OK
  15. Click New and select Combined Action Object from the menu.
  16. In the Add Combined Action Object dialog box, enter a name for a proxy chain header in the Name entry field.
  17. In the left pane, select the previously created control request headers and click Add.
  18. Select the combined action item in the Set Action Object dialog box and click OK.
  19. Click Install Policy in the Blue Coat Visual Policy Manager.

Microsoft Forefront Threat Management Gateway (TMG)

Microsoft Forefront TMG can be used as a downstream proxy from Content Gateway via a plug-in from Forcepoint. This plug-in allows Content Gateway to read the X-Forwarded-For and X-Authenticated-User headers sent by the downstream Forefront TMG.

The Websense-AuthForward.TMG_Plugin-64.zip file is available on the Downloads page of your forcepoint.com account.
  1. Navigate to forcepoint.com and click My Account to log in.
  2. Select the Downloads tab.
  3. Select Forcepoint Web Security from the Product drop-down list.
  4. In the list, expand TMG 64-bit plugin... to see the download details. Click the download link to start the download.
Install a plug-in:
  1. Unzip the package and copy the following files to the Forefront TMG installation directory:
    1. Websense-AuthForward.dll
    2. msvcp110.dll
    3. msvcr110.dll
  2. Register the plug-in with the system. Open a Windows command prompt and change directory to the Forefront TMG installation directory.
    From the command prompt, type:
    regsvr32 Websense-AuthForward.dll
  3. Verify the plug-in was registered in the Forefront TMG management user interface (Start > Programs > Microsoft Forefront TMG > Microsoft Forefront TMG Management) . In the System section, select Add-ins, then click the Web-filter tab. The WsAuthForward plug-in should be listed.
To uninstall the plug-in, in Forefront TMG installation directory run the following command in a Windows command prompt.
regsvr32 /u Websense-AuthForward.dll