When authentication prevents devices, browsers, and custom applications from working with the proxy
- Article Number: 000004676
- Products: Forcepoint Web Security, TRITON AP-WEB, Web Security Gateway, Web Security Gateway Anywhere
- Version: 8.5, 8.4, 8.3, 8.2, 8.1, 8.0, 7.8, 7.7, 7.6, 7.5
- Last Published Date: April 09, 2019
Notes & Warnings
You can confirm the User Agent being passed by browsing to the following site from whatever browser, device, etc:
/http://whatsmyuseragent.com . You can also use http.user_agent in wireshark.
Additionally http://www.useragentstring.com/pages/useragentstring.php is an online resource for obtaining User Agent Strings of different devices and browsers.
Our organization uses the Content Gateway proxy.
As you accurately observe, some devices, client applications, and site-hosted applications do not handle proxy user authentication. This is true even of some rather popular Web browsers, such as the Windows Safari browser when used with NTLM authentication (it’s simply unsupported). Because the problem is most often a limitation of the device or application, all proxies run into these problems.
If you have a device or application that you must use and you are willing to bypass user authentication, one way to work around the problem is to create a proxy “filter” rule to bypass user authentication. Web filtering policies still apply based on client IP address or XID.
Proxy filtering rules, which are created in Content Gateway Manager and stored in filter.config, can be created to identify specific User-Agent header strings to bypass (or deny) user authentication. Regular expressions (regex) can be used to match a set of related strings.
Proxy filter rules are described in general here: http://www.websense.com/content/support/library/web/v75/wcg_help/filtering_rules.aspx.
Here is an example of a simple “allow” rule for User-Agent “iPhone”. (More complex examples are included below.)
The rule is specified in Content Gateway Manager, Configure > Security > Access Control > Filtering. Click Edit File to enter the filter.config configuration file editor and select:
Rule Type: Allow
Primary Destination Type: dest_domain
Primary Destination Value: .
Finish by clicking Add and Apply.
This rule permits iPhone users who are routed through the proxy to bypass user authentication.
(A match on a "deny" rule generates an HTTP_STATUS_FORBIDDEN - 403 return code from the proxy.)
In addition to the simple example given above, here is a set of more complex regex expressions that can be used to match families of User Agents: