Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Blue Coat ProxySG
Configuring proxy chaining | Forcepoint Web Security Cloud
Blue Coat ProxySG can be deployed as a downstream proxy with Forcepoint Web Security Cloud. You can configure proxy chaining in the following ways:
*
Basic chaining. The Blue Coat server does not perform any authentication before forwarding requests to the cloud proxy. The cloud proxy can perform manual authentication only.
*
NTLM pass-through. The Blue Coat server takes no part in authentication, forwarding requests to the cloud proxy which then performs NTLM identification.
*
X-Authenticated-User. The Blue Coat server performs user authentication and forwards requests to the cloud proxy using the X-Authenticated-User header.
Basic chaining
In this case, Blue Coat ProxySG forwards requests to the cloud proxy but performs no authentication. End users can be authenticated using manual authentication only: prompting users for a user name and password the first time they access the Internet through a browser.
Use the Blue Coat Management Console to forward requests to the cloud proxy as follows:
1.
2.
Select Install from Text Editor from the drop-down, and then click Install.
3.
fwd_host Forcepoint_Proxy webdefence.global.blackspider.com http=8081
4.
sequence alias name
replacing alias name with the alias name that you chose in step 3.
5.
6.
In the Blue Coat Management Console Configuration tab, click Policy and select Visual Policy Manager. Click Launch.
7.
In the Policy menu, select Add Forwarding Layer and enter an appropriate policy name in the Add New Layer dialog box.
8.
Select the Forwarding Layer tab that is created. The Source, Destination, and Service column entries should be Any (the default).
9.
10.
11.
12.
13.
14.
Click Install Policy in the Blue Coat Visual Policy Manager.
NTLM chaining
To chain Blue Coat ProxySG with the cloud proxy and perform NTLM identification:
1.
2.
3.
Go to the Web > Policy Management > Policies page, then select a policy.
4.
Click the Access Control tab for the policy.
5.
Select Always authenticate users on first access, then select NTLM transparent identification where possible. For more information, see NTLM identification in the cloud portal Help.
6.
Click Save.
X-Authenticated-User chaining
You can pass authentication details from your Blue Coat proxy to send X-Forwarded-For and X-Authenticated-User headers to the cloud proxy either by manually editing a policy text file, or defining the policy in Blue Coat Visual Policy Manager.
 
With this setup, end users can be authenticated transparently by the cloud proxy, removing an authentication step and improving performance.
Note that for Blue Coat to service HTTPS requests properly with the following setup, you must have a Blue Coat SSL license and hardware card.
Editing the local policy file
In the Blue Coat Management Console Configuration tab, click Policy in the left column and select Policy Files. Enter the following code in the current policy text file, using an Install Policy option:
<Proxy>
action.Add[header name for authenticated user](yes)
 
define action dd[header name for authenticated user]
set(request.x_header.X-Authenticated-User, "WinNT://$(user.domain)/$(user.name)")
end action Add[header name for authenticated user]
 
action.Add[header name for client IP](yes)
 
define action dd[header name for client IP]
set(request.x_header.X-Forwarded-For,$(x-client-address))
end action Add[header name for client IP]
Using the Blue Coat graphical Visual Policy Manager
Before you configure the Blue Coat header policy, ensure that NTLM authentication is specified in the Blue Coat Visual Policy Manager (Authentication > Windows SSO). Set Forcepoint Web Security Cloud as the forwarding host (in the Blue Coat Management Console Configuration tab, Forwarding > Forwarding Hosts). The address of the Forcepoint Web Security Cloud service is webdefence.global.blackspider.com, port 8081.
In the Blue Coat Management Console Configuration tab, click Policy and select Visual Policy Manager. Click Launch and configure the header policy as follows:
1.
In the Policy menu, select Add Web Access Layer and enter an appropriate policy name in the Add New Layer dialog box.
2.
Select the Web Access Layer tab that is created.
3.
4.
5.
Click New in the Set Action Object dialog box and select Control Request Header from the menu.
6.
7.
Enter X-Forwarded-For in the Header Name entry field.
8.
Select the Set value radio button and enter the following value:
$(x-client-address)
9.
10.
Click New and select Control Request Header again.
11.
12.
Enter X-Authenticated-User in the Header Name entry field.
13.
Select the Set value radio button and enter the following value:
WinNT://$(user.domain)/$(user.name)
14.
15.
Click New and select Combined Action Object from the menu.
16.
17.
18.
Click Install Policy in the Blue Coat Visual Policy Manager.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2018 Forcepoint. All rights reserved.