Thursday 5 May 2011

Clearswift Secure Web Gateway – bypass authentication

In case an application needs access to the Internet (e.g. to check for updates), but does not support NTLM or Kerberos authentication, most likely it will be blocked by a proxy.

On a Clearswift Secure Web Gateway proxy, the easiest way to configure authentication bypass is to use a user-defined HTTP header for identifying the requests generated by the application in question.

Go to the Clearswift Home page > Policy > Web Policy Routes and click on the Authentication Bypass tab, click New and in the Add HTTP Header Bypass window provide the requested info.

Clearswift suggests that the header user-agent can be used if it was defined and if the application vendor cannot provide this value, here is how to find it using Wireshark.



Using Wireshark to get the value of a user-defined HTTP header (User-Agent)

Close all applications on the PC which hosts the application in question.

Start Wireshark, click on the Capture tab and click on Interfaces. Find the interface that will be used for sending the Internet request and click on the start button next to it.

Start the application and initialise the Internet traffic. Click on the Stop button in the Interfaces window, once you get the error that tells you that the request has been turned down.

Click on Edit > Find Packet, in Find By switch to String and type the target server or domain name in the field Filter: and click on the Find button. Right click on the highlighted line and click on Follow TCP Stream. Look for the value of the User-Agent entry.

If the value has not been specified, than it will show up as a generic name, something like “Setup Factory”, which cannot be used for filtering purposes.


Configure a new web route in order to bypass authentication

In case a user-defined http header was not specified in the application, authentication can still be bypassed by creating a new web route and using a machine IP address as a source.

Create a new machine entry under Policy > Machines.
Create a new Internet Zone entry under Policy > Internet Zones and specify the destination under the Sites tab using an asterisk sign in front and at the end of the destination server or domain name.
Make sure the new rule is either at the top of the list or that the rules above this one do not interfere with it.
Apply the changes. (Deploying any non policy changes will require the web proxy to restart, cancelling any downloads currently in progress.)

2 comments:

  1. "Clearswift suggests that the header user-agent can be used"
    Where did you read this?
    Can the content-type be used? I've tried it, but it didn't work for me..

    ReplyDelete