In some cases a user who logs in locally to a workstation and who is not supposed to have access to any websites through the ProxySG may sometimes have access to the websites even though the ProxySG policy says otherwise.
This issue may occur when a user logs in locally only to a DHCP enabled workstation in a Windows SSO environment using a Domain Controller Query if the assigned IP address hasn't changed and the cached credentials on the ProxySG from the previous user haven't expired. In this scenario, the ProxySG will continue to apply policies for the previous user which may be different than the current user.
This is issue is caused by the settings in the sso.ini file below:
This setting is actually saying that a valid logon by default will be valid for one day or 24 hours.
Assuming User A is the user who logged in to a domain and who has rights to access the websites. User B is the user who logged in locally (not to a domain) to the workstation and who is not supposed to have rights to access the websites.
In the scenario below:
1. User A logs in to a domain and browses a website as usual. Then he logs off. 2. User A DHCP IP expires. 3. User B logs in locally (not to a domain) to a workstation and the workstation gets a DHCP IP that was previously owned by User A workstation. 4. The above happened within one day or 24 hours.
This has allowed User B to browse the website even though he is not supposed to.
When User B tries to browse the Internet through the ProxySG, the ProxySG sends the client IP to the BCAAA agent server. BCAAA then responds that the IP is in the 'Ip-to-User' table (since this IP is still valid) and informs the ProxySG that the IP mapped to User A. Because User A has access to the website based on the ProxySG policy. Neither the ProxySG or BCAAA are aware of User B's username because he logged in locally.
Imported Document ID: 000007969
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.