Showing results for 
Search instead for 
Did you mean: 

Pass authenticvation information to next hop proxy

I have suers who authenticate agaisnt a WW proxy.  Using next hop that proxy then goes to another proxy.  Will the first proxy pass aithentication info to the next hop?  I need the next hop proxy to apply policy based on the original user making the request and to do that it need the username.

0 Kudos
3 Replies
Level 15

Re: Pass authenticvation information to next hop proxy

When you have multiple proxies in a chain, only one of them should do the actual authentication. Usually the first one that the user encounters, but it could be beyond that.

By default, the next-hop proxies do not know the original users. You can turn on X-Forwarded-For: header and supply the IP address of the original user to the second proxy. But if you need the UserName, or Group information, you must create your own HTTP header to forward that information. You can use the Generic Header Filter to put the UserName into a custom header (like X-MyUserName: ) and send it onward to the next hop.

However, the next-hop proxy must have a way to look for the custom header, map it to policy, and remove it from the request so it doesn't send X-MyUserName to the internet. If the next-hop is also Webwasher, you can do this in Web Mapping and Generic Header Filter. If the next-hop proxy is NOT Webwasher, you must find how to do this with that proxy brand.

0 Kudos

Re: Pass authenticvation information to next hop proxy

Thanks Erik, FYI the second proxy is a Webwasher also.  Couldnt I simply use the existing headers I use in the policy mapping in the second proxy (X-Authenticated-User and X-Authenticated-Groups)?  All I would have to do is setup the reverse proxy to include these headers?

Incidently how would I setup a Generic Header to include these headers?

0 Kudos
McAfee Employee

Re: Pass authenticvation information to next hop proxy

Easiest eay would be a generic header filter!

It is notable though that you will ne be able to do real authentication on the 2nd WW then. It is just going to be a mapping.

Why you can't do real auth? Cause Webwasher is not sending over the credentials, as it doesn't know them in most cases. NTLM works with hashes, so MWG doesn't know the password. For LDAP it does know it, but for security reasons it doesn't send credentials over. So you can only do a mapping.

Use generic header filter to add a header per policy:

X-MWG1-Policy = %g

which will inject a header that contains the policy name. So you can assure that it uses the same policy on the 2nd WW. In the mapping you need to change the mapping header to a custom request header and enter X-MWG1-Policy



0 Kudos