diff --git a/Apache/SOGo.conf b/Apache/SOGo.conf
index bfe7560ba..3dd0df476 100644
--- a/Apache/SOGo.conf
+++ b/Apache/SOGo.conf
@@ -26,12 +26,23 @@ Alias /SOGo/WebServerResources/ \
 ## need to set the "SOGoTrustProxyAuthentication" SOGo user default to YES and
 ## adjust the "x-webobjects-remote-user" proxy header in the "Proxy" section
 ## below.
+#
+## For full proxy-side authentication:
 #<Location /SOGo>
 #  AuthType XXX
 #  Require valid-user
 #  SetEnv proxy-nokeepalive 1
 #  Allow from all
 #</Location>
+#
+## For proxy-side authentication only for CardDAV and GroupDAV from external
+## clients:
+#<Location /SOGo/dav>
+#  AuthType XXX
+#  Require valid-user
+#  SetEnv proxy-nokeepalive 1
+#  Allow from all
+#</Location>
 
 ProxyRequests Off
 SetEnv proxy-nokeepalive 1
@@ -64,7 +75,8 @@ ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
 
 ## When using proxy-side autentication, you need to uncomment and
 ## adjust the following line:
-#  RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e"
+  RequestHeader unset "x-webobjects-remote-user"
+#  RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e" env=REMOTE_USER
 
   RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
 
diff --git a/Main/SOGo.m b/Main/SOGo.m
index 2eb4a9bd8..c3b015771 100644
--- a/Main/SOGo.m
+++ b/Main/SOGo.m
@@ -283,7 +283,7 @@ static BOOL debugLeaks;
 {
   id authenticator;
 
-  if (trustProxyAuthentication)
+  if (trustProxyAuthentication && [[context request] headerForKey: @"x-webobjects-remote-user"])
     authenticator = [SOGoProxyAuthenticator sharedSOGoProxyAuthenticator];
   else
     {