IWA AUTHENTICATION FUNDAMENTALS AND DEPLOYMENT GUIDELINES
|
|
- Sharleen Miller
- 8 years ago
- Views:
Transcription
1 IWA AUTHENTICATION FUNDAMENTALS AND DEPLOYMENT GUIDELINES TECHNICAL BRIEF INTRODUCTION The purpose of this document is to explain how Integrated Windows Authentication (IWA) works with the ProxySG appliance, to explain differences between the two realms (IWA-BCAAA and IWA-Direct), and to provide guidelines for deployments and sizing. Table of Contents INTRODUCTION 1 HOW IT WORKS 2 Integrated Windows Authentication Overview 2 - Quick Overview 2 Kerberos - Detailed Overview 2 Obtaining Group Membership Information 4 Domain Controller Selection Mechanism 4 IWA-BCAAA 5 5 Kerberos 5 IWA-BCAAA: Service User Permission Requirements 6 IWA-DIRECT 6 6 Kerberos 7 IWA-Direct: User Permission Requirements for Joining a Windows Domain 7 PERFORMANCE 7 vs. KERBEROS 7 NETLOGON / MAXCONCURRENTAPI Tuning Options 8 IWA-Direct 8 IWA-BCAAA 8 SURROGATES (IP, COOKIE) 9 Proxy-IP Surrogates 9 Cookie Surrogates 10 IWA Performance Numbers 10 Authentications per Second 10 Throughput Differences 10 How We Measure These Numbers 11 BCAAA Server Sizing 11 RECOMMENDATIONS 11 ABOUT TECHNICAL BRIEFS 11 1
2 How It Works Integrated Windows Authentication Overview Integrated Windows Authentication (IWA) can provide a single sign on (SSO) user experience when configured correctly. Blue Coat has implemented two flavors of IWA: IWA-Direct and IWA-BCAAA. With IWA- Direct, the ProxySG appliance is able to join the domain directly. With IWA-BCAAA, the ProxySG appliance communicates with the BCAAA agent, which is usually installed on a domain member server. IWA uses credentials from the user s initial workstation log on. When configured correctly, domain users are not prompted for credentials, in both explicit and transparent proxy deployments. Users from any trusted domain can be authenticated. The supported authentication mechanisms are Basic, (NT LAN Manager), and Kerberos. Basic and must go to a Domain Controller (DC) to validate credentials and determine group membership. Kerberos is more scalable then ; ProxySG (IWA-Direct) or BCAAA (IWA-BCAAA) can directly validate Kerberos tickets. Basic is very scalable as well, since the ProxySG appliance is able to cache Basic credentials. For security reasons, however, the majority of the ProxySG appliance users no longer accept Basic credentials. Quick Overview is a password authentication protocol. IWA will prompt the user if no password was used at log in. If the current user is a domain user who logged in with a password, the browser won t prompt for a password: This assumes the realm was properly configured. Windows caches a hash of the user password entered on log in to the workstation. The password doesn t cross the wire. A different hash is sent every time. Incorporates a client nonce and a server nonce (random data). is less scalable than Kerberos. Two round trips are required between the client and BCAAA. The ProxySG appliance or BCAAA depending on the realm have to contact a DC (through Netlogon) on the final round-trip. Kerberos Detailed Overview The client obtains a TGT (Ticket Granting Ticket) when the user logs in to Windows. The KDC (Key Distribution Center) validates the client s username and password, and issues the TGT to the client. The client uses the user s password hash to decrypt the session key in the TGT. Figure 1: Kerberos overview Client recieves TGT (Ticket Granting Ticket) Client authenticates to KDC with Username/Password TGT KDC Data (Encrypted with the KDC s key) KDC (Key Distribution Center) Session Data (Encrypted with the user s password hash) The client uses a Service Ticket to log in to Kerberized services. The KDC needs to know the Service Principal Name (SPN) of the service. The service trusts the KDC to validate user credentials. The KDC shares a key with the service: Symmetric encryption key In Active Directory (AD), this key is the service account s password hash The KDC associates the SPN with the key. 2
3 KDC Service Ticket Example The SPN in Figure 2 is HTTP/bluecoat.com. Client presents TGT, requests Service Ticket KDC Trust/Service Key Client recieves Service Ticket Figure 3: Client service ticket request and receipt KDC The service ticket is encrypted with the Service Key and the Session Key. The client uses the Session Key (from the TGT) to decrypt the ticket. HTTP/bluecoat.com Service Figure 2: KDC service ticket example A user wants to authenticate to HTTP/bluecoat.com. The user presents his TGT to the KDC, and requests a service ticket. The KDC validates the TGT, then looks up the service key associated with the SPN. The KDC generates a service ticket and sends it to the client. Ticket Data (Encrypted with the user s Session Key) Service Data (Encrypted with the Service s Key) Service Session Key Figure 4: Session key decryption Decrypt with Session Key Service Ticket Service Data (Encrypted with the Service s Key) Note: The client will cache the service ticket. By default, the ticket is cached for 10 hours, although that setting can be changed in AD group policy. The client will not renew a cached service ticket until it expires, or until the user logs in to Windows again. Since the ticket contains group memberships, the user s groups won t get updated until the client gets a new ticket. This means the ProxySG appliance won t learn about group membership changes until the client gets a new ticket. If an administrator makes a change to AD group membership and then logs the user out of the ProxySG appliance, the ProxySG appliance won t pick up the group membership change until the client gets a new ticket (for example, logs out of Windows and then logs back in). Since gets new group memberships from the DC on each authentication, doesn t have that problem. 3
4 The client presents the service ticket to the service. The service decrypts the service ticket. The service ticket identifies the user. Windows service tickets also contain group membership information. The IWA service (ProxySG appliance for IWA-Direct or BCAAA for IWA-BCAAA) can authenticate the user without contacting an external server. The Kerberized service uses GSSAPI (Generic Services API) to validate the Service Ticket. The service ticket is validated without going off-box. A Windows Service Ticket contains group membership information. Windows can generate an access token without going off-box. There is no longer a Netlogon bottleneck. Login with Service Ticket SERVICE Service calls GSSAPI to decrypt and validate service ticket Service Ticket Service Data (Encrypted with the Service s Key) Figure 5: Login with Service Ticket Login with Service Ticket The following illustration shows a Kerberos login HTTP/bluecoat.com Service Figure 7: Authentication Service calls GSSAPI Obtaining Group Membership Information The method for obtaining the group memberships is the same for IWA-Direct and IWA-BCAAA. After authenticating the user, the realm receives a Privilege Attribute Certificate (PAC). The PAC contains the group memberships. If Basic or credentials were used, then the PAC is created by the DC and automatically provided to the realm after successful authentication. If Kerberos credentials were used, then the PAC is embedded in the credential. Service Ticket Response from KDC Ticket Data (Encrypted with the user s Session Key) Service Data (Encrypted with the Service s Key) Service Session Key Client presents TGT, requests Service Ticket Client recieves Service Ticket Login with Service Ticket KDC Trust/Service Key This page contains a summary of the different group types and they ways in which they may be used: aspx Groups are included in the PAC based on the server that is doing the authentication (IE: BCAAA or the ProxySG). The page linked above indicates where different group types can be used for authorization. The PAC that it receives will contain all of the user s universal groups, but will only contain global groups from the joined domain forest, and only domain local groups from that domain. Service Ticket Service Data (Encrypted with the Service s Key) Figure 6: A Kerberos Login Process HTTP/bluecoat.com Service The technical reasons for that have to do with where the different group types are stored in AD. Domain Controller Selection Mechanism The ProxySG appliance (IWA-Direct) or the BCAAA server (IWA-BCAAA) queries an SRV record in DNS and sends an LDAP ping pack to the DCs that it finds. The LDAP ping is a small LDAP-over-UDP packet. 4
5 In SGOS and later, customers can optionally specify a preferred and alternate DC, and the ProxySG appliance will always use those. If neither is available, then it will fall back to using an LDAP ping. IWA-BCAAA This section describes how and Kerberos authentication work in an IWA-BCAAA deployment. Figure 8 shows how IWA-BCAAA processes requests. come into the ProxySG appliance and are forwarded to BCAAA. BCAAA invokes SSPI (a Windows API), and Windows forwards the request to a DC over the Netlogon Secure Channel (Schannel) for credential validation. Both IWA-Direct and IWA-BCAAA use Schannel to validate credentials, and both are therefore subject to its limitations. same time, it can t send the second request to the DC until it receives a response to the first request. Kerberos Prior to accessing the ProxySG appliance, the user logs into the local domain and obtains a TGT from the KDC. The user attempts to access a URL that requires authentication; the ProxySG appliance sends a challenge asking for Kerberos credentials. KDC OCS BCAAA User logs in to Windows and obtains TGT BCAAA (MaxConcurrentAPI=1) User requests a page from OCS. SG challenges for Kerberos credentials Figure 9: Kerberos Authentication with IWA-BCAAA: ProxySG challenges for credentials DC (MaxConcurrentAPI=1) Figure 8: Authentication with IWA-BCAAA Schannel (One at a time) The client workstation obtains a Service Ticket from the KDC: The Service Ticket is generated based on the authentication challenge URL. The challenge URL identifies the service. The challenge URL depends on the authentication mode. The Service Ticket is presented to BCAAA. Schannel is often a bottleneck for authentication. That s because in a typical scenario, the BCAAA server can only have one Schannel request outstanding at a time, as represented by the MaxConcurrentAPI=1 text in the above diagram (This value could be modified. See Netlogon / MaxConcurrentAPI Tuning Options in this document). For example, if BCAAA receives two requests at the 5
6 IWA-BCAAA: Service User Permission Requirements BCAAA 5.5.x requires the Act as part of the operating system privileges for IWA. If the ProxySG appliance will be used for Kerberos Constrained Delegation, the Impersonate users privilege is required, too. KDC OCS BCAAA Client requests Service Ticket for challege URL Service Ticket is presented to BCAAA Figure 10: Kerberos Authentication with IWA-BCAAA: Client provides service ticket to ProxySG BCAAA validates the Service Ticket without consulting a DC. Validation is performed with Windows SSPI API. Services Provider Interface, similar to GSSAPI. BCAAA 6.1 does not need the Act as part of the operating system or Impersonate users privileges to do IWA or Kerberos Constrained Delegation. IWA-Direct This section describes how and Kerberos authentication works in an IWA-Direct deployment. Figure 12 shows how IWA-Direct processes requests. come in to the ProxySG appliance and are forwarded to a Domain Controller (DC) over the Netlogon Secure Channel (Schannel) for credential validation. Both IWA-Direct and IWA-BCAAA use Schannel to validate credentials, and both are therefore subject to its limitations. The Service key is the password hash of the BCAAA service user. If running as a local system, this is the machine account password. Users ProxySG (MaxConcurrentAPI=1) Schannel (One at a time) Server (MaxConcurrentAPI=1) KDC OCS BCAAA BCAAA validates Service Ticket and sends authentication result to SG Figure 11: Kerberos Authentication with IWA-BCAAA: SG validates service ticket Figure 12: Authentication with IWA-Direct Schannel is often a bottleneck for authentication. That s because the ProxySG appliance with IWA-Direct in SGOS 6.3 and SGOS 6.4 can only have one Schannel request outstanding at a time, as represented by the MaxConcurrentAPI=1 text in Figure 12 (In SGOS , this is the default value, however it could be increased. See Netlogon / MaxConcurrentAPI Tuning Options in this document). For example, if the ProxySG appliance receives two requests at the same time, it can t send the second request to the DC until it receives a response to the first request. 6
7 Kerberos Prior to accessing the ProxySG appliance, the user logs in to the local domain and obtains a TGT. The user attempts to access a URL that requires authentication. In response, the ProxySG appliance sends a challenge, asking for Kerberos credentials. GET Service Ticket for sg.example.com KDC Log in with Kerberos Service Ticket (Includes Group Memberships) Figure 13: Kerberos Authentication with IWA-Direct Shared Key (Machine account password) IWA-Direct sg.example.com The client workstation obtains a Service Ticket from the KDC. The Service Ticket is generated based on the authentication challenge URL. The challenge URL identifies the service. The challenge URL depends on the authentication mode. The Service Ticket is presented to the ProxySG appliance. The ProxySG appliance validates the Service Ticket without consulting a DC. Validation is performed with GSSAPI, which is part of the MIT Kerberos library that has been ported to SGOS. Service key: If the explicit proxy/load balancer feature has NOT been configured in the IWA-Direct realm (the typical scenario), the service key is the ProxySG appliance s machine account password. Otherwise, the service key is the password hash of the load balancer user. This allows multiple ProxySG appliances to share the same service key, as it allows the key to be tied to a user s password, rather than a machine account password. IWA-Direct: User Permission Requirements for Joining a Windows Domain The account used to join the ProxySG appliance to the domain needs sufficient rights to add workstations to the domain. A regular user account will work if you re only joining a few workstations/sgs. Microsoft allows regular Domain User accounts to join up to 10 workstations to the domain by default. More information can be found here: If the user wants to pre-create the ProxySG s computer account, they may do so. However, if they do that, then the user account they use to join the domain must have sufficient rights to modify the computer object. (That is no different from joining Windows boxes to the domain using a pre-created machine account.) After the ProxySG has joined the domain, it will forget the user credentials that were supplied during domain join. Those credentials are used only to create/modify the ProxySG s machine account object. After domain join, all access to AD will use the machine account credentials. For both authentication and VPM browsing, the ProxySG s machine account does not need any more privileges than a normal machine account for a Windows box. The customer should not grant extra privileges to the ProxySG s machine account unless they re planning to set up EMAPI or Kerberos Constrained Delegation. That account should never have Domain Admin privileges. Performance vs. Kerberos Kerberos will perform better than. (challenge/response) authentication requires two round-trips between browser and BCAAA. 7
8 After the second round-trip, the BCAAA server (or the ProxySG appliance for IWA-Direct) has to contact a DC to validate the user s password and retrieve a Windows access token that contains the user s group memberships. Kerberos Requires only one round-trip, and doesn t require the BCAAA server (or the ProxySG appliance for IWA-Direct) to contact a DC. The client will contact the KDC to retrieve a service ticket that will be presented to BCAAA (or the ProxySG appliance for IWA- Direct). Once retrieved, it will be cached for typically 10 hours. (See Kerberos - Detailed Overview on page 2.) BCAAA (or the ProxySG appliance for IWA-Direct) can validate the Service Ticket without contacting a DC, because the ticket is encrypted with a key that BCAAA shares with the KDC. The Service Ticket also contains a list of the user s groups, so BCAAA (or the ProxySG appliance for IWA-Direct) doesn t need to contact a DC to retrieve authorization information. Authentication is successful when BCAAA (or the ProxySG appliance for IWA-Direct) successfully decrypts and validates the ticket. Kerberos is one of the best solutions to scalability problems. Unfortunately, it s not widely (or well) understood, and therefore tends to be under-utilized. Kerberos is a solid, scalable authentication protocol. It is faster and more secure than. Netlogon / MaxConcurrentAPI Tuning Options As described in How It Works on page 1, Netlogon can be a bottleneck. Netlogon is a Windows service that process authentication requests (both incoming and outgoing). Windows maintains a Netlogon Secure Channel to one DC from each domain needed. By default, Netlogon will process only one authentication request at a time. If BCAAA (IWA-BCAAA) or ProxySG appliance (IWA-Direct) receives requests faster than the DC processes them, the requests will back up at BCAAA or at the ProxySG appliance. The MaxConcurrentAPI setting controls the number of concurrent requests that can be processed by Schannel. This parameter can be modified to support a larger number of Schannel connections. However, it is important to know that this parameter must be changed on all DCs (since there isn t a way to guarantee that the BCAAA server or the ProxySG appliance will always use the same DC), and on the BCAAA server and the ProxySG appliance (with SGOS and later). Modifying only one side of the communication will not work. DC (MaxConcurrentAPI=10) Schannel (Ten at a time) Figure 14: IWA Authentication with increased MaxConcurrentAPI settings IWA-Direct BCAAA (MaxConcurrentAPI=10) The ProxySG appliance with IWA-Direct (SGOS 6.3 and SGOS 6.4) is using a hard-coded MaxConcurrentAPI=1 setting. This means the setting cannot be modified. The ProxySG appliance with IWA-Direct (SGOS and later) offers the option to modify MaxConcurrentAPI settings using the command max-secure-channel-requests. In addition to that, you can also specify preferred DCs (a primary and a backup DC) using the command preferred-dc so that the ProxySG appliance can use the nearest DCs with the lowest response time. IWA-BCAAA Changing the MaxConcurrentAPI setting does work for IWA-BCAAA, and is fully transparent to BCAAA. There are a few organizations where Microsoft has recommended modifying this parameter to increase authentication performance. The biggest challenge is that this change is also required on the DCs (including trusted domain DCs), and that s probably why some organizations are not willing to implement this change. 8
9 Figure 15 shows a scenario in which the MaxConcurrentAPI settings have not been changed on the DC of a trusted domain. In this case, there are no performance gains for users who belong to Domain B, but only for users who belong to Domain A. Users from Domain B BCAAA: Domain A (MaxConcurrentAPI=10) Proxy-IP Surrogates The caching problem is often solved by using the Proxy-IP authentication mode. Switching to Proxy-IP mode in the example above would cut down on the number of requests by a factor of 10, since the ProxySG appliance only needs to authenticate the first connection from each client. Note: A detailed discussion about how each authentication mode works goes beyond the scope of this document. Details are available in the SGOS Administration Guide. DC: Domain B (MaxConcurrentAPI=1) Schannel (One at a time) DC: Domain A (MaxConcurrentAPI=10) Schannel (Ten at a time) Figure 15: IWA Authentication with misconfigured MaxConcurrentAPI settings Surrogates (IP, Cookie) The use of surrogates can help to dramatically lessen the authentication load on the ProxySG appliance, and in turn, the DC. This is especially critical when is used with an explicit proxy. Modern browsers will often open 10 or more concurrent connections to the ProxySG appliance when loading a single Web page; the ProxySG appliance must authenticate each of those connections. When using, the ProxySG appliance can t cache user credentials as it does with Basic authentication. Each new connection therefore results in an authentication request that is forwarded to a DC, as shown in Figure 16. Client using Explicit Proxy GET cnn.com (10+ New Connections) Figure 16: IWA Authentication without surrogates 10+ DC However, it s not always possible to use Proxy-IP mode. Proxy-IP mode won t work for multi-user systems such as Citrix, nor will it work for users behind a network address translation (NAT) device. Furthermore, using the IP address as the credential isn t very secure, since IPs are easily spoofed. That s why a short surrogate cache interval is recommended. In proxy chaining deployments, it is still possible to use IP surrogates at the parent proxy by looking at the X-Forwarded-For header instead of the source IP address. The following policy tells the ProxySG appliance to use the X-Forwarded-For header as IP surrogates: <Proxy> authenticate.credentials.address( $(request.header.x- Forwarded-For) ) This requires the child proxy to set the X-Forwarded-For header and to populate it with the client IP address. If the child proxy is a Microsoft ISA or TMG server, the cloud authentication connector can be used to set this header field. Other proxies like the ProxySG appliance are able to do this without additional software. Note: Another option in proxy chaining environments could be to use Kerberos constrained delegation, which should work with ISA or TMG. However, no research has been performed on this setup 9
10 Cookie Surrogates Another solution is to use origin-cookie-redirect. The Origin-cookieredirect can be used with an explicit proxy, but an exception has to be made for unintercepted HTTPS connections. Here s an example: <Proxy> http.connect=yes authenticate(iwa_realm) authenticate. mode(proxy) authenticate(iwa_realm) authenticate.mode(origincookie-redirect) The above policy will authenticate each HTTP CONNECT request without using a surrogate. HTTP CONNECT requests are sent by browsers in explicit proxy mode. Their purpose is to tell the proxy server that the browser wants to set up an SSL tunnel with the origin content server (OCS). The ProxySG appliance can t redirect HTTP CONNECT requests because they only contain a hostname, rather than a full URL for the requested resource at the OCS. If the ProxySG appliance were to redirect the request, it wouldn t be able to redirect the client back to the originally requested resource. The above policy will authenticate all requests, except HTTP CONNECT requests, using a cookie surrogate. Depending on the number of HTTPS connections in the example above, the policy could result in a nearly ten-fold drop in authentications. IWA Performance Numbers Authentications per Second For an IWA realm, functionality is the most important attribute. Most IWA customers still use, rather than Kerberos or Basic. performance is about the same between IWA-BCAAA and IWA- Direct in SGOS 6.3 and 6.4 on a ProxySG (but slightly different on all other platforms, see Throughput Differences below for more details). When BCAAA is running on a member server (as it is nearly always deployed), it is able to process about authentications per second, which matches the performance of IWA-Direct when using a ProxySG The authentications-per-second number is representative of an optimal environment. Those numbers were generated in an environment where a domain with a single DC was used, the DC was a single hop away from the BCAAA server (very low network latency), and the DC was not being used by any other network services. It is unlikely that a customer could achieve the same throughput in a production environment, unless they can guarantee that all of the aforementioned factors always match the lab environment where the tests were performed. Note: The performance numbers were generated using the default MaxConcurrentAPI settings. The authentications-per-second number represents a best-case scenario. It is unlikely that such throughput could be achieved in a production environment. The actual performance of in production depends on how quickly the customer s DC is able to service authentication requests. DC performance is the single largest factor that affects throughput, and that can vary widely. It is difficult to predict how DCs will perform in each customer environment, because several factors can affect performance. In some environments, some DCs might perform substantially better than others. Some of the major factors affecting DC performance are discussed in this document. We have not performed any performance tests with MaxConcurrentAPI=10 so far. The number of authentications-persecond will definitely increase, but probably not by a factor of 10. This document will be updated as soon as we have run tests with modified MaxConcurrentAPI settings. Throughput Differences The difference between IWA-BCAAA- and IWA-Direct- in terms of throughput (using the default MaxConcurrentAPI settings) is, on average, 82%. In other words, the throughput with IWA-Direct- is about 82% of the numbers with IWA-BCAAA- (exception: ProxySG , where the performance is about the same for both methods). The difference between IWA-BCAAA-Kerberos and IWA-Direct-Kerberos in terms of throughput is close to 90%. In other words, the throughput with IWA-Direct-Kerberos is about 90% of the numbers with IWA- BCAAA-Kerberos. 10
11 Blue Coat Systems Inc. Corporate Headquarters Sunnyvale, CA EMEA Headquarters Hampshire, UK APAC Headquarters Singapore How We Measure These Numbers The base traffic pattern is the same for all the tests, but the number of connections is different on each platform, in order to load the machine to what we consider its peak, at 70% CPU. The base traffic pattern is: Explicitly proxied The same cache hit rate (20% of requests are cache hit/40 cache miss/40 non-cacheable) Using varying objects that average to a 12k object size Each client connection pipelines 10 requests BCAAA Server Sizing With current servers, hardware is not a limiting factor. Often when we max out Schannel, the BCAAA server s CPU is hovering around 10% - 15%. As a result, we no longer have any BCAAA server hardware recommendations. The hardware is more likely to matter in cases in which MaxConcurrentAPI has been increased, or Kerberos is being used, although we don t have any performance test numbers for these cases. Recommendations Authentication Mechanism: Use Kerberos instead of whenever possible. Surrogates: Use surrogates whenever possible. Consider using X-Forwarded-For header based surrogates in proxy chains. Use IWA-BCAAA instead of IWA-Direct if the following conditions exist: is used for authentication AND The MaxConcurrentAPI settings have been modified AND Surrogates cannot be used The customer is not willing to upgrade to SGOS or later In case the customer has performance issues with : Discuss modifying the MaxConcurrentAPI settings option. If customers are not willing to modify MaxConcurrentAPI settings, using nltest.exe (from the Windows resource kit) is another option. Nltest.exe can tell you which DC BCAAA is using for Schannel, and will allow you to forcibly switch to a DC that you specify. Some customers run nltest.exe in a cron job each night to ensure their BCAAA servers are always using the fastest DCs. SGOS or later and IWA-Direct can be used to specify a preferred DC. Another solution is to create multiple IWA-BCAAA realms on the ProxySG appliance, and to deploy a BCAAA server for each realm. Incoming requests can be authenticated by one realm or the other by client subnet, HTTP header, or some other criteria known prior to authentication. About Technical Briefs Technical briefs are designed to illustrate the features and capabilities of Blue Coat products. By describing generic solutions, technical briefs provide a foundation that Blue Coat customers can use to understand how Blue Coat products can be used to solve specific problems. These technical briefs are not intended to solve customer-specific requests; if you need a customized solution to address a specific concern, contact Blue Coat Professional Services at professionalservices@bluecoat.com Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue Coat logos, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter, CacheEOS, CachePulse, Crossbeam, K9, the K9 logo, DRTR, Mach5, Packetwise, Policycenter, ProxyAV, ProxyClient, SGOS, WebPulse, Solera Networks, the Solera Networks logos, DeepSee, See Everything. Know Everything.,, and BlueTouch are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. Blue Coat makes no warranties, express, implied, or statutory, as to the information in this document. Blue Coat products, technical services, and any other technical data referenced in this document are subject to U.S. export control and sanctions laws, regulations and requirements, and may be subject to export or import regulations in other countries. You agree to comply strictly with these laws, regulations and requirements, and acknowledge that you have the responsibility to obtain any licenses, permits or other approvals that may be required in order to export, re-export, transfer in country or import after delivery to you. v.tb-iwa-deployment-guide-en-v1b
Blue Coat Security First Steps Solution for Integrating Authentication
Solution for Integrating Authentication using IWA Direct SGOS 6.5 Third Party Copyright Notices 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER,
More informationBlue Coat ProxySG Authentication Guide. SGOS 6.5.x
Blue Coat ProxySG Authentication Guide SGOS 6.5.x 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9,
More informationBlue Coat Security First Steps Solution for Controlling HTTPS
Solution for Controlling HTTPS SGOS 6.5 Third Party Copyright Notices 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE,
More informationBlue Coat Security First Steps Transparent Proxy Deployments
Transparent Proxy Deployments SGOS 6.5 Third Party Copyright Notices 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE,
More informationBlue Coat Security First Steps. Solution for HTTP Object Caching
Solution for HTTP Object Caching Third Party Copyright Notices 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM,
More informationWAN OPTIMIZATION FOR MICROSOFT SHAREPOINT BPOS
WHITEPAPER EXECUTIVE SUMMARY Microsoft SharePoint is a web-based collaboration and information-sharing platform designed as a centralized replacement for multiple web applications. SharePoint leverages
More informationDecrypt Inbound SSL Traffic for Passive Security Device (D-H)
Decrypt Inbound SSL Traffic for Passive Security Device (D-H) SSL Visibility Appliance First Steps Guide Third Party Copyright Notices 2015 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG,
More informationBlue Coat Security First Steps Solution for Deploying an Explicit Proxy
Blue Coat Security First Steps Solution for Deploying an Explicit Proxy SGOS 6.5 Third Party Copyright Notices 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,
More informationSECURE WEB GATEWAY DEPLOYMENT METHODOLOGIES
WHITEPAPER In today s complex network architectures it seems there are limitless ways to deploy networking equipment. This may be the case for some networking gear, but for web gateways there are only
More informationA TECHNICAL REVIEW OF CACHING TECHNOLOGIES
WHITEPAPER Over the past 10 years, the use of applications to enable business processes has evolved drastically. What was once a nice-to-have is now a mainstream staple that exists at the core of business,
More informationBlue Coat Security First Steps Solution for Integrating Authentication Using LDAP
Solution for Integrating Authentication Using LDAP SGOS 6.5 Third Party Copyright Notices 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER,
More informationNEXT GENERATION SECURE WEB GATEWAY: THE CORNERSTONE OF YOUR SECURITY ARCHITECTURE
: THE CORNERSTONE OF YOUR SECURITY ARCHITECTURE A CLOSER LOOK REVEALS WHY PROXY-BASED ARCHITECTURE IS UNIQUELY EFFECTIVE IN DEFENDING AGAINST WEB-BASED THREATS. The web is central to the way we work, live,
More informationProxy Forwarding Access Method
Proxy Forwarding Access Method Version 6.8.3/Doc Revision: 12/17/15 Blue Coat Web Security Service Proxy Fowarding Access Method Copyrights 2015 Blue Coat Systems, Inc.All rights reserved. BLUE COAT, PROXYSG,
More informationBlue Coat Security First Steps Solution for Streaming Media
Blue Coat Security First Steps Solution for Streaming Media SGOS 6.5 Third Party Copyright Notices 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER,
More informationExecutive Summary. What is Authentication, Authorization, and Accounting? Why should I perform Authentication, Authorization, and Accounting?
Executive Summary As the leader in Wide Area Application Delivery, Blue Coat products accelerate and secure applications within your WAN and across the Internet. Blue Coat provides a robust and flexible
More informationProxy Forwarding Access Method
Proxy Forwarding Access Method Version 6.8.5/Doc Revision: 02/26/16 Blue Coat Web Security Service/Page 2 Proxy Fowarding Access Method/Page 3 Copyrights 2016 Blue Coat Systems, Inc.All rights reserved.
More informationBlueCoat s Guide to Authentication V1.0
BlueCoat s Guide to Authentication V1.0 Blue Coat and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered in certain jurisdictions. All other product or service names are
More informationReverse Proxy Deployment Guide
Reverse Proxy Deployment Guide PDF of the Online WebGuide SGOS 6.5.x and Later Third Party Copyright Notices 2015 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,
More informationSecurity Provider Integration Kerberos Authentication
Security Provider Integration Kerberos Authentication 2015 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are
More informationSingle Sign-on (SSO) technologies for the Domino Web Server
Single Sign-on (SSO) technologies for the Domino Web Server Jane Marcus December 7, 2011 2011 IBM Corporation Welcome Participant Passcode: 4297643 2011 IBM Corporation 2 Agenda USA Toll Free (866) 803-2145
More informationReverse Proxy with SSL - ProxySG Technical Brief
SGOS 5 Series Reverse Proxy with SSL - ProxySG Technical Brief What is Reverse Proxy with SSL? The Blue Coat ProxySG includes the functionality for a robust and flexible reverse proxy solution. In addition
More informationSECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION
SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION How ThreatBLADES add real-time threat scanning and alerting to the Analytics Platform INTRODUCTION: analytics solutions have become an essential weapon
More informationWeb Application Classification Feature
Web Application Classification Feature PacketShaper 11.5 Third Party Copyright Notices 2015 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER,
More informationBOOSTING INTERNET ACCESS LINK PERFORMANCE WITH BLUE COAT WAN OPTIMIZATION TECHNOLOGIES
PERFORMANCE WITH BLUE COAT WHITEPAPER EXECUTIVE SUMMARY Gateways to Internet traffic are facing unprecedented loads and growth rates in all types of industries and organizations due to the growth of mobile
More informationBCAAA 6.1 Service Requirements
BCAAA 6.1 Service Requirements Current Version: 6.1.3 Image Location: The current version of BCAAA is available for download with the latest SGOS GA releases SGOS Compatibility: SGOS 5.4, 5.5, 6.x Platform
More informationBlue Coat Security First Steps Solution for Recording and Reporting Employee Web Activity
Solution for Recording and Reporting Employee Web Activity SGOS 6.5 Third Party Copyright Notices 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER,
More informationBlue Coat ICS PROTECTION Scanner Station Version
Blue Coat ICS PROTECTION Scanner Station Version USB Malware Defense for Industrial Computers User Guide, version 5.3.1 Contents Contents 1. ABOUT... 3 1.1. About this Guide... 3 1.2. System Requirements...
More informationBlue Coat Security First Steps Solution for Controlling Web Applications
Blue Coat Security First Steps Solution for Controlling Web Applications SGOS 6.5 Third Party Copyright Notices 2015 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,
More informationBlue Coat Systems. Client Manager Redundancy for ProxyClient Deployments
Blue Coat Systems Client Manager Redundancy for ProxyClient Deployments Copyright 1999-2013 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means
More informationVIRTUALIZED SECURITY: THE NEXT GENERATION OF CONSOLIDATION
WHITEPAPER A consolidated security infrastructure is more than just an idea; in today s world of increasingly diversified threats and associated rising costs, it s imperative that organizations adopt a
More information800-782-3762 www.stbernard.com. Active Directory 2008 Implementation. Version 6.410
800-782-3762 www.stbernard.com Active Directory 2008 Implementation Version 6.410 Contents 1 INTRODUCTION...2 1.1 Scope... 2 1.2 Definition of Terms... 2 2 SERVER CONFIGURATION...3 2.1 Supported Deployment
More informationInstallation and configuration guide
Installation and Configuration Guide Installation and configuration guide Adding X-Username support to Forward and Reverse Proxy TMG Servers Published: December 2010 Applies to: Winfrasoft X-Username for
More informationBlue Coat Systems SG Appliance
Blue Coat Systems SG Appliance Configuration and Management Guide Volume 5: Securing the Blue Coat SG Appliance SGOS Version 5.1.x Volume 5: Securing the Blue Coat SG Appliance Contact Information Blue
More informationHow to Configure Captive Portal
How to Configure Captive Portal Captive portal is one of the user identification methods available on the Palo Alto Networks firewall. Unknown users sending HTTP or HTTPS 1 traffic will be authenticated,
More informationProxySG TechBrief Enabling Transparent Authentication
ProxySG TechBrief Enabling Transparent Authentication What is Transparent Authentication? Authentication is a key factor when defining a web access policy. When the Blue Coat ProxyxSG is configured for
More informationInstallation and configuration guide
Installation and Configuration Guide Installation and configuration guide Adding X-Forwarded-For support to Forward and Reverse Proxy TMG Servers Published: May 2010 Applies to: Winfrasoft X-Forwarded-For
More informationLDAP Authentication and Authorization
LDAP Authentication and Authorization What is LDAP Authentication? Today, the network can include elements such as LANs, WANs, an intranet, and the Internet. Many enterprises have turned to centralized
More informationSecure Web Gateway Virtual Appliance Initial Configuration Guide Platform: VMware vsphere Hypervisor
Secure Web Gateway Virtual Appliance Initial Configuration Guide Platform: VMware vsphere Hypervisor SGOS 6.5.x and later i Secure Web Gateway Virtual Appliance Contact Information Americas: Blue Coat
More informationImplementing Exception Pages
Technical Brief: Implementing Exception Pages Implementing Exception Pages SGOS 5 Series Developed using SGOS 5.3.1.4 What are Exception Pages? Exception pages are Web pages (messages sent to users under
More informationUser-ID Best Practices
User-ID Best Practices PAN-OS 5.0, 5.1, 6.0 Revision A 2011, Palo Alto Networks, Inc. www.paloaltonetworks.com Table of Contents PAN-OS User-ID Functions... 3 User / Group Enumeration... 3 Using LDAP Servers
More informationBlue Coat Cloud Data Protection Server Administration Guide
Blue Coat Cloud Data Protection Server Administration Guide Software version 4.5.x September 16, 2015 2015 Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue Coat logos, ProxySG, PacketShaper,
More informationMicrosoft Lync Server 2010
Microsoft Lync Server 2010 Scale to a Load Balanced Enterprise Edition Pool with WebMux Walkthrough Published: March. 2012 For the most up to date version of the Scale to a Load Balanced Enterprise Edition
More informationDIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access
DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access With IDENTIKEY Server / Axsguard IDENTIFIER Integration Guidelines Disclaimer Disclaimer of Warranties and Limitations
More informationProxySG ICAP Integration
ProxySG ICAP Integration Blue Coat s proxies can utilize the Internet Content Adaptation Protocol (ICAP) to hand off HTTP requests and/or responses to an external server for configured processing and transformation.
More informationCA Performance Center
CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More informationWindows 2000 Security Architecture. Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation
Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation Topics Single Sign-on Kerberos v5 integration Active Directory security Delegation of authentication
More informationUser Identification and Authentication
User Identification and Authentication Vital Security 9.2 Copyright Copyright 1996-2008. Finjan Software Inc.and its affiliates and subsidiaries ( Finjan ). All rights reserved. All text and figures included
More informationPingFederate. IWA Integration Kit. User Guide. Version 2.6
PingFederate IWA Integration Kit Version 2.6 User Guide 2012 Ping Identity Corporation. All rights reserved. PingFederate IWA Integration Kit User Guide Version 2.6 March, 2012 Ping Identity Corporation
More informationThird Party Integration
APPENDIXG This appendix contains the following sections: Overview, page G-1 BlackBerry Enterprise Server, page G-1 Blue Coat, page G-2 Check Point, page G-3 Firebox, page G-4 ISA Server/Forefront TMG,
More informationProxyCap Help. Table of contents. Configuring ProxyCap. 2015 Proxy Labs
ProxyCap Help 2015 Proxy Labs Table of contents Configuring ProxyCap The Ruleset panel Loading and saving rulesets Delegating ruleset management The Proxies panel The proxy list view Adding, removing and
More informationwww.novell.com/documentation SSL VPN Server Guide Access Manager 3.1 SP5 January 2013
www.novell.com/documentation SSL VPN Server Guide Access Manager 3.1 SP5 January 2013 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation,
More information2. Are explicit proxy connections also affected by the ARM config?
Achieving rapid success with WCCP and Web Security Gateway October 2011 Webinar Q/A 1. What if you are already using WCCP for Cisco waas on the same routers that you need to use WCCP for websense? Using
More informationPingFederate. IWA Integration Kit. User Guide. Version 3.0
PingFederate IWA Integration Kit Version 3.0 User Guide 2012 Ping Identity Corporation. All rights reserved. PingFederate IWA Integration Kit User Guide Version 3.0 April, 2012 Ping Identity Corporation
More informationBlue Coat Systems. Reference Guide. WCCP Reference Guide. For SGOS 5.5-6.2
Blue Coat Systems Reference Guide WCCP Reference Guide For SGOS 5.5-6.2 Contact Information Americas: Blue Coat Systems Inc. 410 North Mary Ave Sunnyvale, CA 94085-4121 Rest of the World: Blue Coat Systems
More informationReverse Proxy for Trusted Web Environments > White Paper
> White Paper ProxySG for Reverse Proxy Web-based solutions are being implemented for nearly every aspect of business operations, and increasingly for trusted environments with mission-critical business
More informationUser Guide. Cloud Gateway Software Device
User Guide Cloud Gateway Software Device This document is designed to provide information about the first time configuration and administrator use of the Cloud Gateway (web filtering device software).
More informationHow To Use Netscaler As An Afs Proxy
Deployment Guide Guide to Deploying NetScaler as an Active Directory Federation Services Proxy Enabling seamless authentication for Office 365 use cases Table of Contents Introduction 3 ADFS proxy deployment
More informationSecurity Report. Security Empowers Business DO NOT ENTER. Blue Coat Research Maps the Web s Shadiest Neighborhoods. September 2015
Security Report Security Empowers Business DO NOT ENTER Blue Coat Research Maps the Web s Shadiest Neighborhoods September 2015 The Web s Shadiest Neighborhoods KEY FINDINGS There has been an explosion
More informationJuniper Networks Secure Access Kerberos Constrained Delegation
Juniper Networks Secure Access Kerberos Constrained Delegation Release 6.4 CONTENT 1. BACKGROUND...3 2. SETTING UP CONSTRAINED DELEGATION...5 2.1 ACTIVE DIRECTORY CONFIGURATION...5 2.1.1 Create a Kerberos
More informationSSL Proxy Deployment Guide
SSL Proxy Deployment Guide SGOS 6.5 and later Version: 02-07.14.15 - 2 - Copyrights 2015 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS,
More informationUse FortiWeb to Publish Applications
Tech Brief Use FortiWeb to Publish Applications Replacing Microsoft TMG with a FortiWeb Web Application Firewall Version 0.2, 27 June 2014 FortiWeb Release 5.2.0 Introduction This document is intended
More informationwww.stbernard.com Active Directory 2008 Implementation Guide Version 6.3
800 782 3762 www.stbernard.com Active Directory 2008 Implementation Guide Version 6.3 Contents 1 INTRODUCTION... 2 1.1 Scope... 2 1.2 Definition of Terms... 2 2 SERVER CONFIGURATION... 3 2.1 Supported
More informationOkta/Dropbox Active Directory Integration Guide
Okta/Dropbox Active Directory Integration Guide Okta Inc. 301 Brannan Street, 3rd Floor San Francisco CA, 94107 info@okta.com 1-888- 722-7871 1 Table of Contents 1 Okta Directory Integration Edition for
More informationWEBTITAN CLOUD. User Identification Guide BLOCK WEB THREATS BOOST PRODUCTIVITY REDUCE LIABILITIES
BLOCK WEB THREATS BOOST PRODUCTIVITY REDUCE LIABILITIES WEBTITAN CLOUD User Identification Guide This guide explains how to install and configure the WebTitan Cloud Active Directory components required
More informationContent Analysis System Guide
Content Analysis System Guide Version 1.1.4.1 - 2 - Content Analysis System Administration Guide Third Party Copyright Notices 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER,
More informationTIBCO Spotfire Platform IT Brief
Platform IT Brief This IT brief outlines features of the system: Communication security, load balancing and failover, authentication options, and recommended practices for licenses and access. It primarily
More informationNETASQ ACTIVE DIRECTORY INTEGRATION
NETASQ ACTIVE DIRECTORY INTEGRATION NETASQ ACTIVE DIRECTORY INTEGRATION RUNNING THE DIRECTORY CONFIGURATION WIZARD 2 VALIDATING LDAP CONNECTION 5 AUTHENTICATION SETTINGS 6 User authentication 6 Kerberos
More informationNetSpective Global Proxy Configuration Guide
NetSpective Global Proxy Configuration Guide Table of Contents NetSpective Global Proxy Deployment... 3 Configuring NetSpective for Global Proxy... 5 Restrict Admin Access... 5 Networking... 6 Apply a
More informationUse Enterprise SSO as the Credential Server for Protected Sites
Webthority HOW TO Use Enterprise SSO as the Credential Server for Protected Sites This document describes how to integrate Webthority with Enterprise SSO version 8.0.2 or 8.0.3. Webthority can be configured
More informationGuide to SASL, GSSAPI & Kerberos v.6.0
SYMLABS VIRTUAL DIRECTORY SERVER Guide to SASL, GSSAPI & Kerberos v.6.0 Copyright 2011 www.symlabs.com Chapter 1 Introduction Symlabs has added support for the GSSAPI 1 authentication mechanism, which
More informationIceWarp Server - SSO (Single Sign-On)
IceWarp Server - SSO (Single Sign-On) Probably the most difficult task for me is to explain the new SSO feature of IceWarp Server. The reason for this is that I have only little knowledge about it and
More informationDeploying F5 with Microsoft Active Directory Federation Services
F5 Deployment Guide Deploying F5 with Microsoft Active Directory Federation Services This F5 deployment guide provides detailed information on how to deploy Microsoft Active Directory Federation Services
More informationUser Identification (User-ID) Tips and Best Practices
User Identification (User-ID) Tips and Best Practices Nick Piagentini Palo Alto Networks www.paloaltonetworks.com Table of Contents PAN-OS 4.0 User ID Functions... 3 User / Group Enumeration... 3 Using
More informationIntegrating the ProxySG and ProxyAV Appliances. For SGOS 6.5 and later and AVOS 3.5 and later
Integrating the ProxySG and ProxyAV Appliances For SGOS 6.5 and later and AVOS 3.5 and later i Contact Information Americas: Blue Coat Systems Inc. 410 North Mary Ave Sunnyvale, CA 94085-4121 Rest of the
More informationInitial Configuration Guide
Initial Configuration Guide For Virtual Appliances Management Center 1.3.2.1 Version 1.3.2.1 Third Party Copyright Notices Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER,
More informationInterwise Connect. Working with Reverse Proxy Version 7.x
Working with Reverse Proxy Version 7.x Table of Contents BACKGROUND...3 Single Sign On (SSO)... 3 Interwise Connect... 3 INTERWISE CONNECT WORKING WITH REVERSE PROXY...4 Architecture... 4 Interwise Web
More informationEXTENDING THREAT PROTECTION AND CONTROL TO MOBILE WORKERS
EXTENDING THREAT PROTECTION AND WHITEPAPER CLOUD-BASED SECURITY SERVICES PROTECT USERS IN ANY LOCATION ACROSS ANY NETWORK It s a phenomenon and a fact: employees are always on today. They connect to the
More informationSSL VPN Server Guide. Access Manager 3.2 SP2. June 2013
SSL VPN Server Guide Access Manager 3.2 SP2 June 2013 Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A
More informationInstalling and Configuring vcloud Connector
Installing and Configuring vcloud Connector vcloud Connector 2.7.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
More informationVMware Identity Manager Administration
VMware Identity Manager Administration VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
More informationBlue Coat Systems. Reference Guide. SSL Proxy. For SGOS 5.5.x and later
Blue Coat Systems Reference Guide SSL Proxy For SGOS 5.5.x and later Contact Information Americas: Blue Coat Systems Inc. 410 North Mary Ave Sunnyvale, CA 94085-4121 Rest of the World: Blue Coat Systems
More informationWebsense Support Webinar: Questions and Answers
Websense Support Webinar: Questions and Answers Configuring Websense Web Security v7 with Your Directory Service Can updating to Native Mode from Active Directory (AD) Mixed Mode affect transparent user
More informationTIBCO Spotfire Web Player 6.0. Installation and Configuration Manual
TIBCO Spotfire Web Player 6.0 Installation and Configuration Manual Revision date: 12 November 2013 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED
More informationConfiguring SSL VPN on the Cisco ISA500 Security Appliance
Application Note Configuring SSL VPN on the Cisco ISA500 Security Appliance This application note describes how to configure SSL VPN on the Cisco ISA500 security appliance. This document includes these
More informationSchoolBooking SSO Integration Guide
SchoolBooking SSO Integration Guide Before you start This guide has been written to help you configure SchoolBooking to operate with SSO (Single Sign on) Please treat this document as a reference guide,
More informationINTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN
INTEGRATION GUIDE IDENTIKEY Federation Server for Juniper SSL-VPN Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO
More informationConfiguring Security Features of Session Recording
Configuring Security Features of Session Recording Summary This article provides information about the security features of Citrix Session Recording and outlines the process of configuring Session Recording
More informationConnection Broker Managing User Connections to Workstations, Blades, VDI, and More. Quick Start with Microsoft Hyper-V
Connection Broker Managing User Connections to Workstations, Blades, VDI, and More Quick Start with Microsoft Hyper-V Version 8.1 October 21, 2015 Contacting Leostream Leostream Corporation http://www.leostream.com
More informationPassword Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos
Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website:
More informationIntegrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies
Guideline Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies Product(s): IBM Cognos 8 BI Area of Interest: Security Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies 2 Copyright
More informationVirtual Appliance for VMware Server. Getting Started Guide. Revision 2.0.2. Warning and Disclaimer
Virtual Appliance for VMware Server Getting Started Guide Revision 2.0.2 Warning and Disclaimer This document is designed to provide information about the configuration and installation of the CensorNet
More informationGuideline for setting up a functional VPN
Guideline for setting up a functional VPN Why do I want a VPN? VPN by definition creates a private, trusted network across an untrusted medium. It allows you to connect offices and people from around the
More informationSiteCelerate white paper
SiteCelerate white paper Arahe Solutions SITECELERATE OVERVIEW As enterprises increases their investment in Web applications, Portal and websites and as usage of these applications increase, performance
More informationDeploying with Websense Content Gateway
Deploying with Websense Content Gateway Websense Content Gateway is a high-performance Web proxy that provides realtime content scanning and Web site classification to protect network computers from malicious
More informationVMware Identity Manager Connector Installation and Configuration
VMware Identity Manager Connector Installation and Configuration VMware Identity Manager This document supports the version of each product listed and supports all subsequent versions until the document
More informationBlue Coat Systems Cloud Security Service Overview. Blue Coat Cloud Security Service (ThreatPulse)
Blue Coat Systems Cloud Security Service Overview Blue Coat Cloud Security Service (ThreatPulse) Blue Coat Cloud Security Service: Security Statements Contact Information Americas: Blue Coat Systems Inc.
More informationProxySG TechBrief LDAP Authentication with the ProxySG
ProxySG TechBrief LDAP Authentication with the ProxySG What is LDAP Authentication? Today, the network can include elements such as LANs, WANs, an intranet, and the Internet. Many enterprises have turned
More informationPortal Administration. Administrator Guide
Portal Administration Administrator Guide Portal Administration Guide Documentation version: 1.0 Legal Notice Legal Notice Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec
More informationBlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
More informationPolicy Guide. Version 6.8.2/Doc Revision: 10/23/15
Policy Guide Version 6.8.2/Doc Revision: 10/23/15 Blue Coat Web Security Service Copyrights 2015 Blue Coat Systems, Inc.All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER,
More information