Username not sent to Fireglass, for certain requests, where the "header.X-Authenticated-User." is utilized in policy, on the Proxy
Article ID: 279081
Updated On:
Products
Issue/Introduction
X-Authenticated-User (XAU) header: Signifies that the downstream proxy has authenticated the end user who originated the request. The downstream proxy adds the XAU header to the request before forwarding it to the Web Isolation Proxy.
Environment
WI Cloud 1.16
Cause
Where the identified domains are linked with Software/Applications, this behavior would be expected.
Troubleshooting will involve looking at the Auth/HTTP/SSL debug logs on the connected Proxy, and the relevant Activity log from the Fireglass side.
Resolution
From a known case study, we can confirm, from our findings, that for the identified domains, which are solely software/application requests, authentication did not happen. What this would mean, by extension, is that authentication for these URLs using the "header.X-Authenticated-User.", didn't happen, hence, the absence of the username in the activity logs, in fireglass. So, this is expected. For the affected requests, authentication appear to have been skipped.
Note: Some applications do not support Proxy authentication. Please see the Tech. Doc. with the URL below, for reference.
To avoid connectivity issues in such cases, Web Isolation allows authentication to be skipped when the source egress IP address (the source IP address that the traffic comes from) has already been authenticated within the configured authentication caching timeout. The policy can be edited to include criteria for skipping authentication.
The above would confirms that this has nothing to do with fireglass, since the authentication wasn't happening there. The Web Isolation Gateway only adds the X-Authenticated-User (XAU) header, which contains the authenticated username, to the outgoing request.
Recommendation:
For the affected software/application requests, you may want to edit the policy, to skip authentication.
Feedback
