The Surrogate Refresh Time allows you to set a time for how often a user’s surrogate credentials are refreshed. Surrogate credentials are credentials accepted in place of a user’s actual credentials. The default setting is 900 seconds (15 minutes).

You can also configure this setting in policy for better control over the resources as policy overrides any settings made in the Management Console realm settings.

Before the refresh time expires, if a surrogate credential (IP address or cookie) is available and it matches the expected surrogate credential, the Edge SWG (ProxySG) authenticates the transaction. After the refresh time expires, the Edge SWG (ProxySG) verifies the user’s credentials.  Depending upon the authentication mode and the user-agent, this may result in challenging the end user for credentials. The main goal of this feature is to verify that the user still has the appropriate credentials.

To configure the Surrogate Refresh time in the VPM you need to add a rule in the Web Access Layer with an “Action” of “Add Surrogate Refresh Time”.  You can tweak the Trigger for this rule such as “Source” or “Destination” or “Service”.

CPL can also be added , for example as below:

;====================================================================

<proxy>
 request.header.User-Agent="Mac OS X" authenticate.credential_refresh_time(43200)

<Proxy>
 request.header.User-Agent="Mac OS X" authenticate.surrogate_refresh_time(43200) 

;===================================================================