Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
New Member

IronPort WSA S170 and Context directory agent

Hello people and experts,

 

I need your consultation regarding IronPort and CDA deployment.

I couldn't find any information in internet...

So my question is - if IronPort is AD domain member and Explicit forward proxy is planned to be used. Do I need CDA to be deployed? What will happen if I don't want to deploy CDA in my environment?

As I understood CDA is useful when IronPort works as Transparent Proxy or if IronPort is not a member of the same domaiin as users.

 

Please advise.

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions

The most useful part of CDA

The most useful part of CDA for us is that authentication happens before the user hits the WSA with a browser.  If you have apps that don't deal with authentication well, or at all, the CDA will catch the auth from the AD boxes, and pass it to the WSA at login time.

 

 

Cisco Employee

The CDA eliminates the need

The CDA eliminates the need for NTLM authentication.  Once a user logs onto their computer in the morning and authenticates to the domain, the CDA will have received a successful audit event/log that informs it that user X is signed on to IP address X.  When the WSA needs to find out who is on this IP address, instead of using NTLM to challenge the client machine, it will ask the CDA who signed on this particular IP address.  Once it gets the user name, the WSA will proceed as usual and query the AD to determine the group membership of that particular user.

 

2 REPLIES

The most useful part of CDA

The most useful part of CDA for us is that authentication happens before the user hits the WSA with a browser.  If you have apps that don't deal with authentication well, or at all, the CDA will catch the auth from the AD boxes, and pass it to the WSA at login time.

 

 

Cisco Employee

The CDA eliminates the need

The CDA eliminates the need for NTLM authentication.  Once a user logs onto their computer in the morning and authenticates to the domain, the CDA will have received a successful audit event/log that informs it that user X is signed on to IP address X.  When the WSA needs to find out who is on this IP address, instead of using NTLM to challenge the client machine, it will ask the CDA who signed on this particular IP address.  Once it gets the user name, the WSA will proceed as usual and query the AD to determine the group membership of that particular user.

 

797
Views
0
Helpful
2
Replies