Certain applications / User-Agents will perform authentication with their computer accounts. This is generally observed with Windows Vista and Windows 7. Computer accounts are similar to user accounts in several ways – they have a password, and they can belong to groups. However, by default, computer accounts belong only to the 'Domain Computers' group.
For example, the Windows Update agent may authenticate with the computer's account and result in forbidden/denied access :
Hypertext Transfer Protocol HEAD http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab?xxxxxxxxxx HTTP/1.1\r\n Accept: */*\r\n User-Agent: Windows-Update-Agent\r\n Proxy-Connection: Keep-Alive\r\n Host: download.windowsupdate.com\r\n [truncated] Proxy-Authorization: NTLM NTLM Secure Service Provider NTLMSSP identifier: NTLMSSP NTLM Message Type: NTLMSSP_AUTH (0x00000003) Lan Manager Response: 000000000000000000000000000000000000000000000000 NTLM Client Challenge: 0000000000000000 NTLM Response: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx... NTLM Client Challenge: xxxxxxxxxxxxxxxx Domain name: KLDEV User name: BLUECOAT1$ <<<<< Computer Account / Host name is sent as the username Host name: BLUECOAT1 <<<<< Computer hostname Session Key: Empty Flags: 0xa2888205 Version 6.1 (Build 7600); NTLM Current Revision 15 MIC: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Cookie: BCSI-CS-XXXXXXXXXXXXXXXX=X\r\n \r\n
The 'Domain Computers' is available as a source Group object in the VPM's Web Access Layer, similar as other group objects. Hence, the CPL above can also be applied fom the VPM.
Do not use any IP-based surrogate such as Proxy-IP for authentication because the ProxySG may not reauthenticate user traffic within the cached duration. If you need to use an IP-based surrogate, use the user.login.log_out(yes) policy above.