Blue Coat ProxySG

Configuring proxy chaining | Forcepoint Web Security Cloud

Blue Coat ProxySG can be deployed as a downstream proxy with Forcepoint Web Security Cloud. You can configure proxy chaining in the following ways:

Basic chaining. The Blue Coat server does not perform any authentication before forwarding requests to the cloud proxy. The cloud proxy can perform manual authentication only.

NTLM pass-through. The Blue Coat server takes no part in authentication, forwarding requests to the cloud proxy which then performs NTLM identification.

X-Authenticated-User. The Blue Coat server performs user authentication and forwards requests to the cloud proxy using the X-Authenticated-User header.

Basic chaining

In this case, Blue Coat ProxySG forwards requests to the cloud proxy but performs no authentication. End users can be authenticated using manual authentication only: prompting users for a user name and password the first time they access the Internet through a browser.

Use the Blue Coat Management Console to forward requests to the cloud proxy as follows:

In the Blue Coat Management Console Configuration tab, select Forwarding > Forwarding Hosts.

Select Install from Text Editor from the drop-down, and then click Install.

Update the Forwarding Hosts configuration file to point an alias name to webdefence.global.blackspider.com, port 8081. For example, if you choose the alias name Forcepoint_Proxy, enter the following at the end of the "Forwarding host configuration" section:

fwd_host Forcepoint_Proxy webdefence.global.blackspider.com http=8081

Add the following to the end of the 'Default fail-over sequence' section:

sequence alias name

replacing alias name with the alias name that you chose in step 3.

When you have finished editing, click Install.

In the Blue Coat Management Console Configuration tab, click Policy and select Visual Policy Manager. Click Launch.

In the Policy menu, select Add Forwarding Layer and enter an appropriate policy name in the Add New Layer dialog box.

Select the Forwarding Layer tab that is created. The Source, Destination, and Service column entries should be Any (the default).

Right-click the area in the Action column, and select Set.

10.

Select the alias name that you created (for example, Forcepoint_Proxy) from the list, and click OK.

11.

Right-click the alias name in the Action column and select Edit.

12.

Choose the forwarding behavior if your Blue Coat proxy cannot contact the cloud proxy: either to connect directly, or to refuse the browser request.

13.

Click OK.

14.

Click Install Policy in the Blue Coat Visual Policy Manager.

NTLM chaining

To chain Blue Coat ProxySG with the cloud proxy and perform NTLM identification:

Follow the steps in Basic chaining.

Log on to the cloud portal.

Go to the Web > Policy Management > Policies page, then select a policy.

Click the Access Control tab for the policy.

Select Always authenticate users on first access, then select NTLM transparent identification where possible. For more information, see NTLM identification in the cloud portal Help.

Click Save.

X-Authenticated-User chaining

You can pass authentication details from your Blue Coat proxy to send X-Forwarded-For and X-Authenticated-User headers to the cloud proxy either by manually editing a policy text file, or defining the policy in Blue Coat Visual Policy Manager.


X-Forwarded-For	Contains the client IP address
X-Authenticated-User	When Blue Coat authentication is turned on, this header will be populated with the user domain and username (domain\user).

With this setup, end users can be authenticated transparently by the cloud proxy, removing an authentication step and improving performance.

Note that for Blue Coat to service HTTPS requests properly with the following setup, you must have a Blue Coat SSL license and hardware card.

Editing the local policy file

In the Blue Coat Management Console Configuration tab, click Policy in the left column and select Policy Files. Enter the following code in the current policy text file, using an Install Policy option:

<Proxy>

action.Add[header name for authenticated user](yes)

define action dd[header name for authenticated user]

set(request.x_header.X-Authenticated-User, "WinNT://$(user.domain)/$(user.name)")

end action Add[header name for authenticated user]

action.Add[header name for client IP](yes)

define action dd[header name for client IP]

set(request.x_header.X-Forwarded-For,$(x-client-address))

end action Add[header name for client IP]

Using the Blue Coat graphical Visual Policy Manager

Before you configure the Blue Coat header policy, ensure that NTLM authentication is specified in the Blue Coat Visual Policy Manager (Authentication > Windows SSO). Set Forcepoint Web Security Cloud as the forwarding host (in the Blue Coat Management Console Configuration tab, Forwarding > Forwarding Hosts). The address of the Forcepoint Web Security Cloud service is webdefence.global.blackspider.com, port 8081.

In the Blue Coat Management Console Configuration tab, click Policy and select Visual Policy Manager. Click Launch and configure the header policy as follows:

In the Policy menu, select Add Web Access Layer and enter an appropriate policy name in the Add New Layer dialog box.

Select the Web Access Layer tab that is created.

The Source, Destination, Service, and Time column entries should be Any (the default).

Right-click the area in the Action column, and select Set.

Click New in the Set Action Object dialog box and select Control Request Header from the menu.

In the Add Control Request Header Object dialog box, enter a name for the client IP Action object in the Name entry field.

Enter X-Forwarded-For in the Header Name entry field.

Select the Set value radio button and enter the following value:

$(x-client-address)

Click OK.

10.

Click New and select Control Request Header again.