ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Proxy showing incorrect username in exception page thrown for blocked requests

book

Article ID: 238381

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

  • ProxySG showing incorrect username in exception page thrown for blocked requests when multiple users are logging into the same server and trying to access a blocked website.
  • The username seen in the exception page is for the first user that logs in to the server

Cause

  • Whether or not reports show usernames for blocked requests depends on the order in which denial and authentication occur in the policies you have defined.
  • When the ProxySG appliance intercepts a client request, it uses the URL to determine the content category and, if the category is blocked based on your content filtering policies, the request will be denied before the user has been authenticated and the username is therefore not available for logging. This is because Deny has precedence over authentication.
  • This is explained in below article-:

https://knowledge.broadcom.com/external/article/167300/what-is-the-difference-between-authentic.html

 

 

  • Also, since the authentication mode is set to proxy-ip , proxySG creates a surrogate based on client ip after the client authenticates. This is explained in below article-:

https://knowledge.broadcom.com/external/article/166803/authentication-modes-for-proxysg-deploym.htmlhttps://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3/overview/_properties/authenticate-mode.html

Environment

Topology -:

[Server sharing multiple AD accounts]-----------[ProxySG using IWA authentication]--------------[Internet]

Setup -:

IWA is setup on proxySG. Name of Authentication Realm is 'MyRealm'

Authentication Rules -:

<proxy>

authenticate(MyRealm)  authenticate.force(no) authenticate.mode(proxy-ip)  

Default policy is set to deny

Resolution

To force requests to be authenticated even in the case where the request is denied, you must include the authenticate.force(yes) property in the <proxy> layer of policy. 

Also, to ensure that correct username is captured in the exception page, set the mode to proxy

Create a rule above existing Authentication rule 

<proxy>
 client.address=x.x.x.x authenticate(MyRealm)  authenticate.force(yes) authenticate.mode(proxy)  
 authenticate(MyRealm)  authenticate.force(no) authenticate.mode(proxy-ip)

x.x.x.x = Server ip