KB Article | Forcepoint Support

Notes & Warnings

You can confirm the User Agent being passed by browsing to the following site from whatever browser, device, etc:
/http://whatsmyuseragent.com .  You can also use http.user_agent in wireshark.


Additionally http://www.useragentstring.com/pages/useragentstring.php is an online resource for obtaining User Agent Strings of different devices and browsers.

Problem Description

Our organization uses the Content Gateway proxy. 

We sometimes use a device (iPhone, iPad, other), client application (custom browser, in-house Web app, etc.), or Web-hosted application that does not interact well with the proxy. 

We have noticed that when we turn off user authentication, the problem goes away.  Why is user authentication a problem?
 

Resolution

As you accurately observe, some devices, client applications, and site-hosted applications do not handle proxy user authentication.  This is true even of some rather popular Web browsers, such as the Windows Safari browser when used with NTLM authentication (it’s simply unsupported).  Because the problem is most often a limitation of the device or application, all proxies run into these problems. 

If you have a device or application that you must use and you are willing to bypass user authentication, one way to work around the problem is to create a proxy “filter” rule to bypass user authentication. Web filtering policies still apply based on client IP address or XID.

Proxy filtering rules, which are created in Content Gateway Manager and stored in filter.config, can be created to identify specific User-Agent header strings to bypass (or deny) user authentication.  Regular expressions (regex) can be used to match a set of related strings.
 
Proxy filter rules are described in general here: http://www.websense.com/content/support/library/web/v75/wcg_help/filtering_rules.aspx.

Here is an example of a simple “allow” rule for User-Agent “iPhone”.  (More complex examples are included below.)

The rule is specified in Content Gateway Manager, Configure > Security > Access Control > Filtering. Click Edit File to enter the filter.config configuration file editor and select:
 
Rule Type: Allow
Primary Destination Type: dest_domain
Primary Destination Value: .
User-Agent:  iPhone
 
Finish by clicking Add and Apply.

This rule permits iPhone users who are routed through the proxy to bypass user authentication.

(A match on a "deny" rule generates an HTTP_STATUS_FORBIDDEN - 403 return code from the proxy.)

In addition to the simple example given above, here is a set of more complex regex expressions that can be used to match families of User Agents:

 

Platform

User Agent string

Regex to detect

Result (If matched)

Mobile:

   

iPhone

Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16

"iPhone OS ([0-9_]+)"
(iPhone specific)

"Mobile\/[a-zA-Z0-9]{5,6} Safari"
(All mobile Apple devices)

Group 1: iOS version

iPhone 4S regexMozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko)Version/5.1Mobile/9B179 Safari/7534.48.3

iPad

Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10

"iPad; U; CPU OS (0-9_]+)"
(iPad specific)

"Mobile\/[a-zA-Z0-9]{5,6} Safari"
(All mobile Apple devices)

Group 1: iOS version

iPad 2 regexMozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecho)Version/5.1Mobile/9B176 Safari/7534.48.3

Android

Mozilla/5.0 (Linux; U; Android 2.1-update1; en-us; Sprint APA9292KT Build/ERE27) AppleWebKit/530.17 (KHTML, like Gecko)

"Android ([0-9]+\.[0-9]+)-{0,1}(update[0-9]{1,}){0,1}"

Group 1: Android version
Group 2: update number (if any)

Web OS

Mozilla/5.0 (webOS/1.4.0; U; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Version/1.0 Safari/532.2 Pre/1.0

"webOS/([0-9\.]{1,});"

Group 1: webOS version

Symbian

Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-3/21.2.045; Profile/MIDP-2.1 Configuration/CLDC-1.1;) AppleWebKit/525 (KHTML, like Gecko) BrowserNG/7.1.4

"SymbianOS/([0-9\.]+)"

Group 1: Symbian version

Blackberry

BlackBerry9700/5.0.0.423 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/100
OR
Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en) AppleWebKit/534.1+ (KHTML, Like Gecko) Version/6.0.0.141 Mobile Safari/534.1

"BlackBerry[ ]{0,1}([0-9a-z]{4,5})"

Group 1: Model number

Major Browsers:

   

Firefox

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b7pre) Gecko/20100925 Firefox/4.0b7pre

"Firefox/([0-9a-z\.]{1,})"

Group 1: Firefox version

Chrome

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10

"Chrome/[0-9\.]{1,}"

Group 1: Chrome version

Safari

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4

"Version/([0-9\.]{1,}) Safari"

Group 1: Safari Version

Internet Explorer

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB0.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; GACID=)

"MSIE ([0-9\.]{1,})"

Group 1: IE version

Opera

Opera/9.80 (X11; Linux x86_64; U; Ubuntu/10.10 (maverick); pl) Presto/2.7.62 Version/11.01

"Opera/([0-9\.]{1,})"

Group 1: Opera version

    

Article Feedback



Thank you for the feedback and comments.