Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Authentication for Explicit Proxy Mode with WCCP

Configuring authentication for explicit proxy mode with WCCP includes import and modification of two rule sets, as well as specifying ports for incoming traffic to trigger the use of the appropriate rule set.

When the explicit proxy mode with WCCP is configured, clients send requests to Web Gateway in explicit proxy mode or using a service under the WCCP protocol.

To handle authentication for the explicit proxy mode, the Direct Proxy Authentication and Authorization rule set is recommended, for the WCCP mode, which is a transparent mode, it is the Authentication Server (Time/IP Based Session) rule set.

This means you should import both rule sets and complete additional activities as needed for both modes, including the modification of the browser settings for the WCCP mode.

To let traffic for each mode be handled by the appropriate authentication rule set, you can configure different ports for both types of traffic and specify the respective port in the criteria of each rule set.

Configure different ports for the explicit proxy and WCCP modes

The ports for the explicit proxy and WCCP modes could, for example, be 9090 and 9091. You need to specify the port for the WCCP mode when configuring a WCCP service and both ports in the list of HTTP ports.

A WCCP service is configured by entering it in the WCCP Services list. This list appears after selecting WCCP in the Transparent Proxy section of the Proxies (HTTP(S), FTP, ICAP, and IM) system settings.

The section appears within these settings when you begin to configure the explicit proxy mode with WCCP by selecting Proxy (optional WCCP) under Network Setup.

The entry for a WCCP service that is used for traffic coming in on port 9091 could, for example, look as follows:

No Service ID WCCP router... Ports... Ports... Proxy listener... Proxy listener port... MD5... Assignment
1 91

10.10.
69.7

80, 443

false

10.10.
69.73

9091

oooooo

1000

The HTTP Port Definition List can be configured in the HTTP Proxy section, which is located below the Transparent Proxy section.

The entries for the explicit proxy and WCCP modes could look as follows:

No Listener address Serve... Ports... Transparent... Skyhigh Comment
1

0.0.0.0:9090

true

443

false

true

Explicit proxy traffic
2

0.0.0.0:9091

true 443 false true WCCP traffic

Adapting the criteria of the authentication rule sets

After configuring different ports for traffic coming in under the explicit proxy mode or using a WCCP service, for example, 9090 and 9091, you need to adapt the criteria of the rule sets for handling the two kinds of traffic.

The adapted rule criteria of the Direct Proxy Authentication and Authorization rule set would then look as follows:

Proxy.Port equals 9090 AND (Connection.Protocol equals "HTTP" OR Connection.Protocol equals "HTTPS")

For the Authentication Server (Time/IP Based Session) rule set, the adapted criteria would be:

Proxy.Port equals 9091

  • Was this article helpful?