Recently, A client running in a problem, really big problem : (
They have a Bluecoat proxy SG to access to the internet, and in order to authorizes different users , they used windows domain with windows 2003 server.
All things running well until ... they upgraded the windows server 2003 to 2008, then they began to got the complaint phone calls from end users, end users said that they cannot browsing the internet, when they open websites they will got a message prompting "Access Denied"
There have not so much complaint person, just about 100 users, but which one got this problem is random (they have 4,000 end users). actually , this is a big problem.
We tried to find the root cause of this problem, and then we found the reason in Bluecoat KB.https://kb.bluecoat.com/index?page=content&id=FAQ873&actp=search&viewlocale=en_US&searchid=1368960465967
Then, another problem came out, how to solve it! this is the key point!
I checked all the KB website and tried all the methods Bluecoat gives. No one works.
After a lot test and refer to the Bluecoat SE's advise, finally I found the really works way.
This is my commands:
define condition IWA_SILENT_USERS
user="NT AUTHORITY\anonymous logon"
user="AUTORITE NT\anonymous logon"
user.regex='.+\$$'
end condition
<Proxy>
realm=AD_Authen condition=IWA_SILENT_USERS deny.unauthorized user.login.log_out(yes)
<Proxy>
condition=userAgentList authenticate(no) allow
condition=DoNotAuthDomains authenticate(no) allow
define condition userAgentList
request.header.User-Agent="Microsoft-CryptoAPI"
request.header.User-Agent="MSUpdate"
request.header.User-Agent="AVUpdate"
request.header.User-Agent="iTunes"
request.header.User-Agent="iphone"
request.header.User-Agent="ipad"
request.header.User-Agent="Stocks"
request.header.User-Agent="CFNetwork"
request.header.User-Agent="Windows-Media-Player"
request.header.User-Agent="NSPlayer"
request.header.User-Agent="flash"
request.header.User-Agent="Office"
request.header.User-Agent="webex utiltp"
request.header.User-Agent="241Extra!"
request.header.User-Agent="Acrobat Messages Updater"
request.header.User-Agent="Adobe Log Transport"
request.header.User-Agent="Adobe Update Manager"
request.header.User-Agent="Microsoft BITS"
request.header.User-Agent="Microsoft Data Access Internet Publishing Provider Protocol Discovery"
request.header.User-Agent="Microsoft-CryptoAPI"
request.header.User-Agent="Microsoft-WebDAV"
request.header.User-Agent="Windows-Update-Agent"
request.header.User-Agent="ncsi"
request.header.User-Agent="TMUFE"
end
define condition DoNotAuthDomains
url.domain=msftncsi.com
url.domain=windowsupdate.com
url.domain=crl.microsoft.com
url.domain=mscrl.microsoft.com
url.domain=crl.microsoft.com
url.domain=verisign.com
url.domain=mscrl.microsoft.com
url.domain=watson.microsoft.com
url.domain=trendmicro.com
url.domain=update.nai.com
url.domain=update.symantec.com
url.domain=acs.pandasoftware.com
url.domain=secure.pandasoftware.com
end
After I added these commands into local policy files, All things going well ...
And I think the major commands is the bold fonts, I tried to added the other commands independently, It doesn't work.
No comments:
Post a Comment