cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4951
Views
5
Helpful
5
Replies

WSA question

cunfa xu
Level 1
Level 1

Hi , all

           Nowaday, I meet some questionlike this.

WSA has surrogate type: IP address,  Persistent Cookie,  Session Cookie.

I want to know which scenario are they used ?

If I change "IP Address" to "Session cookie", it will make my origin policy invalidate? It will make which different from "IP Address"?

2 Accepted Solutions

Accepted Solutions

Tao Yang
Cisco Employee
Cisco Employee

Hello Cunfa,

In simple, cookie surrogate is used in shared IP scenario, for example terminal server, kiosk server as it is a multiple sessions with same IP. For all other situation, you can use IP surrogate.  Here are the details from WSA user guide.

Determines which method the Web Proxy uses to track the user:

Note

IP Address. The Web Proxy allows the user at that IP address to use any web browser or non-browser HTTP process to access the web once the user clicks the link on the end-user acknowledgment page. Tracking the user by IP address allows the user to access the web until the Web Proxy displays a new end-user acknowledgment page due to inactivity or the configured time interval for new acknowledgments. Unlike tracking by a session cookie, tracking by IP address allows the user to open up multiple web browser applications and not have to agree to the end-user acknowledgment unless the configured time interval has expired.

When IP address is configured and the user is authenticated, the Web Proxy tracks users by username instead of IP address.

Session Cookie. The Web Proxy sends the user’s web browser a cookie when the user clicks the link on the end-user acknowledgment page and uses the cookie to track their session. Users can continue to access the web using their web browser until the Time Between Acknowledgments value expires, they have been inactive longer than the allotted time, or they close their web browser.

If the user using a non-browser HTTP client application, they must be able to click the link on the end-user acknowledgment page to access the web. If the user opens a second web browser application, the user must go through the end-user acknowledgment process again in order for the Web Proxy to send a session cookie to the second web browser.

Using a session cookie to track users when the client accesses HTTPS sites or FTP servers using FTP over HTTP is not supported.

View solution in original post

WSA will authenticate again if surrogate times out. But it should still be transparent to end user as it needs to re-authenticate the end user.  The end user will only receive prompt if authentication is failed.

View solution in original post

5 Replies 5

Tao Yang
Cisco Employee
Cisco Employee

Hello Cunfa,

In simple, cookie surrogate is used in shared IP scenario, for example terminal server, kiosk server as it is a multiple sessions with same IP. For all other situation, you can use IP surrogate.  Here are the details from WSA user guide.

Determines which method the Web Proxy uses to track the user:

Note

IP Address. The Web Proxy allows the user at that IP address to use any web browser or non-browser HTTP process to access the web once the user clicks the link on the end-user acknowledgment page. Tracking the user by IP address allows the user to access the web until the Web Proxy displays a new end-user acknowledgment page due to inactivity or the configured time interval for new acknowledgments. Unlike tracking by a session cookie, tracking by IP address allows the user to open up multiple web browser applications and not have to agree to the end-user acknowledgment unless the configured time interval has expired.

When IP address is configured and the user is authenticated, the Web Proxy tracks users by username instead of IP address.

Session Cookie. The Web Proxy sends the user’s web browser a cookie when the user clicks the link on the end-user acknowledgment page and uses the cookie to track their session. Users can continue to access the web using their web browser until the Time Between Acknowledgments value expires, they have been inactive longer than the allotted time, or they close their web browser.

If the user using a non-browser HTTP client application, they must be able to click the link on the end-user acknowledgment page to access the web. If the user opens a second web browser application, the user must go through the end-user acknowledgment process again in order for the Web Proxy to send a session cookie to the second web browser.

Using a session cookie to track users when the client accesses HTTPS sites or FTP servers using FTP over HTTP is not supported.

Em....

If I change "IP Address" to "Session cookie", will it  make my origin policy invalidate? 

Surrogate for authentication will not impact your policy configuration. However it may cause end user being applied the incorrect policy.

Dear Tao

Em。。。

So, If I change "IP Address" to "Session cookie" , It may lead to end user policy invalidate. Right?

And another question

If "Session cookie/IP Address/persistent cookie" time out, will it pop authentication windows?Thanks!

Sincerely Yours

WSA will authenticate again if surrogate times out. But it should still be transparent to end user as it needs to re-authenticate the end user.  The end user will only receive prompt if authentication is failed.