In order to make the most of authentication on an explicit proxy, we recommend using 'proxy-ip' authentication mode. This reduces the load on the link between the ProxySG and BCAAA, and ensures that user traffic is authenticated with the highest level of flexibility.
However, because that authentication mode saves the user's IP and user ID in a table for reference, this isn't an option for scenarios where traffic from multiple users will appear to the proxy to come from the same IP address. Examples of this are:
The solution is to create policy specific to the shared IP or IPs, to configure 'proxy' mode authentication. This ensures that each request for content is authenticated without caching the users' credentials on the proxy, and alleviates concerns of one user's traffic being tracked under another user's ID.
Steps to do this are below:
- In your web authentication layer, create a new rule above your existing 'authenticate' rule.
- Set the source for this rule to a new client IP address. Define the Citrix or NAT IP here; don't enter a subnet mask.
- Set a new action for this rule, to be a new authenticate object. Set the realm to your IWA realm and the mode as 'proxy'.
- Install the policy.
This will ensure that your proxy still leverages the benefits of proxy-ip authentication mode for appropriate clients, yet ensures the highest level of validity for your shared user environment traffic.