In order to make the most of authentication on an explicit proxy, we recommend using 'proxy-ip' authentication mode. This reduces the load on the link between the ProxySG and BCAAA, and ensures that user traffic is authenticated with the highest level of flexibility.
However, because that authentication mode saves the user's IP and user ID in a table for reference, this isn't an option for scenarios where traffic from multiple users will appear to the proxy to come from the same IP address. Examples of this are:
Terminal server environments
NAT network traffic
The solution is to create policy specific to the shared IP or IPs, to configure 'proxy' mode authentication. This ensures that each request for content is authenticated without caching the users' credentials on the proxy, and alleviates concerns of one user's traffic being tracked under another user's ID.
Steps to do this are below:
- In your web authentication layer, create a new rule above your existing 'authenticate' rule. - Set the source for this rule to a new client IP address. Define the Citrix or NAT IP here; don't enter a subnet mask. - Set a new action for this rule, to be a new authenticate object. Set the realm to your IWA realm and the mode as 'proxy'. - Install the policy.
This will ensure that your proxy still leverages the benefits of proxy-ip authentication mode for appropriate clients, yet ensures the highest level of validity for your shared user environment traffic.
Imported Document ID: 000008065
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.