Webantix

During an install at a customers site, the customer requested that his Blue Coat SG proxy gateway was put in Transparent mode. I was happy to do this as it is quite simple to set up. Once it was up and running he decided that the users should be authenticated. This is where the problems started.

I have set up authentication up on the Blue Coats a number of times in explicit and transparent mode but this user said that it had to be in transparent mode with no log in prompt. I could find loads of documentation on how to set up transparent authentication on the Blue Coat site. It spoke about NTLM, LDAP or RADIUS. It never mentioned IWA or how to stop the log in prompt.

First, a bit of history on this and you can probably work out what you need to do to fix it but I will tell you at the end any way.

Basically the issue is zones and how Internet Explorer knows what zone each site is in and if it should pass on authentication details to the requesting server. If it is an untrusted external zone Internet Explorer should not pass on these details as it gives attackers chance to gain access to your password.

To get Internet Explorer to pass your credentials to the proxy server it has to believe it is connecting to a server on the internal zone. How Internet Explorer works this out is if the URL has a . (dot,period) in the address. If it does have a dot in the URL it sees this as being in the external zone and not pass the credentials otherwise if there is no dot in the URL Internet Explorer will believe it is in the internal zone and will pass credentials.

So the fix for your Blue Coat is to change your virtual URL from www.cfauth.com to internal-name-dns-name

Just a note this dns name has to resolve to something internal so the best bet is to give the hostname of your Blue Coat SG.