ProxySG & Advanced Secure Gateway

Hello All,

     I have a ProxySG enviornment which MAC users are being given No_Authentication access due to being a windows heavy enterprise. I would like to start getting the OSX devices authenticating through the proxy for log purposes and of course Security. Currently, Safari will always ask for credentials every 15 Minutes or so. I would like to know if there is any documentation to allow the OSX devices to start authenticating through the Proxy.

Following things i have seen are user agent configuration through IWA. Any path to solution would be helpful.

HI Ismael,

                 Like you have mentioned in the post heading, you could use LDAP based auth against the Mac User-agent for them to show you a Auth pop-up to type in. You can use the IP surrogate based mode to reduce the the auth pop-up and its frequency by adjusting surrogate cache time.

Thanks Aravind

Would you have any documentation to this? I have see the user agent addition to the proxy for MAC. Have not seen anything regarding surrogate mode and surrogate cache time.

Hi Ismael,

                    Please refer the article https://support.symantec.com/en_US/article.TECH242539.html which shows the different authentication modes available and in our case, it would be Proxy-IP (I am assuming that you are using Explicit Proxy) . When you are creating the authentication rule for MAC based on User-Agents, set the auth mode as Proxy-IP as in the screenshot below

Hi Ismael

Can I ask how you are currently authenticating you windows users?

The reason I ask is this - If you are currently authenticating your windows users using IWA (direct or BCAAA) and your domain supports Kerberos, MAC can also authenticate using Kerberos. I have deployed this into a number of customers in the past. 

A problem with IP surrogacy and higher surrogate refresh timers is that fact that a user can log out, another user can log into that machine and then would have the access rights of the previous user. 

Sean

Hello Sean

You said you have deployed MAC with IWA + Kerberos succesfully. Could you give more details about how you did that please ?

i am petty "new" with BlueCoat ProxySG/ASG management

In my organization (8000 users) we have about one hundred MAC users. These MAC are associated with our AD domain, so users can logon OSX with their active directory account. But currently we have to manage their proxy setting and web surf by maintaing an exception list of IP (very painful...) to not authenticate them in the bluecoat VPM because BlueCoat Proxy require via a authentication popup their AD login and password (about each 15 minutes).

I would like to kick off this IP exception list and find a clean and global solution to manage Mac computers and users on the proxyASG (we have two proxy ASG400-30).

Could you give me/us some advice/methods please ?

Best regards

Arnaud