What should the Virtual URL be in transparent authentication on the ProxySG?

<< Back to Knowledge Search



What should the Virtual URL be in transparent authentication on the ProxySG?
The default virtual URL is www.cfauth.com/ .
Can I change the default URL?
If I can change the default URL, what should the URL be?
My authentication mode is of the origin-redirect or origin-*-redirect mode


If you are trying to implement some sort of silent authentication (no pop-up box) in a transparent proxy deployment with an origin-*-redirect authentication mode, you will need to change the Virtual URL from www.cfauth.com/ to a hostname that is interally resolvable, such as http://proxysg  .  NOTE:  Because of a browser design, if there is a period in the host name (something.something), the browser may think the proxy exists in the internet zone instead of the intranet zone and it will not pass credentials to the proxy.  So a single host name with no dots will be required.  A DNS entry or workstation hosts file needs to be configured so whatever name you place in the virtual URL can be resolved to the IP address of the ProxySG in your environment.

Here are the steps to make the changes on your ProxySG:

  1. Login to the Management Console ( https://<ip.address.of.proxysg>:8082/ ).  Go to the Configuration tab > Authentication > {Select your authentication type, such as IWA, Windows SSO, and so forth}.
  2. Click on the last tab, which will be <authentication type> General.  Some examples are "IWA General", or "Windows SSO General".
  3. There is a "Virtual URL" setting on the General tab.  By default, the virtual URL is set to www.cfauth.com/ .  Change this to http://<some-host-name-resolvable-on-your-network> .  Some examples are http://proxysg or http://myproxy or http://bluecoat and so forth.  NOTE:  Whatever name you select here must be resolvable to the IP address of the ProxySG.  If not, this new virtual URL name will not work.
  4. Click on Apply to save your changes.
  5. Test and make sure it all works as expected.


NOTE:  The ProxySG must have the explicit proxy service enabled on port 80 for this to work properly.


  1. Make sure you can ping the hostname, whatever you choose, from the command line.
  2. Make sure there are no dots (.) in the virtual URL name.
  3. Make sure the ProxySG has the explicit proxy service enabled on port 80.
  4. Take a packet capture (pcap) and make sure the ProxySG is redirecting to the virtual URL and that the virtual URL is being resolved to the IP address of the ProxySG.
Additional Information
Bug Number
InQuira Doc IdKB3448

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Software      SGOS 4, SGOS 5
Topic      Authentication, Networking
Article Number      000015537
Was this helpful?
Previous MonthNext Month