03-06-2016 06:32 PM - edited 03-08-2019 05:38 PM
Hi , all
Nowaday, I meet some questionlike this.
WSA has surrogate type: IP address, Persistent Cookie, Session Cookie.
I want to know which scenario are they used ?
If I change "IP Address" to "Session cookie", it will make my origin policy invalidate? It will make which different from "IP Address"?
Solved! Go to Solution.
03-06-2016 07:39 PM
Hello Cunfa,
In simple, cookie surrogate is used in shared IP scenario, for example terminal server, kiosk server as it is a multiple sessions with same IP. For all other situation, you can use IP surrogate. Here are the details from WSA user guide.
Determines which method the Web Proxy uses to track the user:
•
Note
•
IP Address. The Web Proxy allows the user at that IP address to use any web browser or non-browser HTTP process to access the web once the user clicks the link on the end-user acknowledgment page. Tracking the user by IP address allows the user to access the web until the Web Proxy displays a new end-user acknowledgment page due to inactivity or the configured time interval for new acknowledgments. Unlike tracking by a session cookie, tracking by IP address allows the user to open up multiple web browser applications and not have to agree to the end-user acknowledgment unless the configured time interval has expired.
When IP address is configured and the user is authenticated, the Web Proxy tracks users by username instead of IP address.
Session Cookie. The Web Proxy sends the user’s web browser a cookie when the user clicks the link on the end-user acknowledgment page and uses the cookie to track their session. Users can continue to access the web using their web browser until the Time Between Acknowledgments value expires, they have been inactive longer than the allotted time, or they close their web browser.
If the user using a non-browser HTTP client application, they must be able to click the link on the end-user acknowledgment page to access the web. If the user opens a second web browser application, the user must go through the end-user acknowledgment process again in order for the Web Proxy to send a session cookie to the second web browser.
Using a session cookie to track users when the client accesses HTTPS sites or FTP servers using FTP over HTTP is not supported.
03-07-2016 03:27 PM
WSA will authenticate again if surrogate times out. But it should still be transparent to end user as it needs to re-authenticate the end user. The end user will only receive prompt if authentication is failed.
03-06-2016 07:39 PM
Hello Cunfa,
In simple, cookie surrogate is used in shared IP scenario, for example terminal server, kiosk server as it is a multiple sessions with same IP. For all other situation, you can use IP surrogate. Here are the details from WSA user guide.
Determines which method the Web Proxy uses to track the user:
•
Note
•
IP Address. The Web Proxy allows the user at that IP address to use any web browser or non-browser HTTP process to access the web once the user clicks the link on the end-user acknowledgment page. Tracking the user by IP address allows the user to access the web until the Web Proxy displays a new end-user acknowledgment page due to inactivity or the configured time interval for new acknowledgments. Unlike tracking by a session cookie, tracking by IP address allows the user to open up multiple web browser applications and not have to agree to the end-user acknowledgment unless the configured time interval has expired.
When IP address is configured and the user is authenticated, the Web Proxy tracks users by username instead of IP address.
Session Cookie. The Web Proxy sends the user’s web browser a cookie when the user clicks the link on the end-user acknowledgment page and uses the cookie to track their session. Users can continue to access the web using their web browser until the Time Between Acknowledgments value expires, they have been inactive longer than the allotted time, or they close their web browser.
If the user using a non-browser HTTP client application, they must be able to click the link on the end-user acknowledgment page to access the web. If the user opens a second web browser application, the user must go through the end-user acknowledgment process again in order for the Web Proxy to send a session cookie to the second web browser.
Using a session cookie to track users when the client accesses HTTPS sites or FTP servers using FTP over HTTP is not supported.
03-06-2016 09:30 PM
Em....
If I change "IP Address" to "Session cookie", will it make my origin policy invalidate?
03-06-2016 09:35 PM
Surrogate for authentication will not impact your policy configuration. However it may cause end user being applied the incorrect policy.
03-06-2016 09:55 PM
Dear Tao
Em。。。
So, If I change "IP Address" to "Session cookie" , It may lead to end user policy invalidate. Right?
And another question
If "Session cookie/IP Address/persistent cookie" time out, will it pop authentication windows?Thanks!
Sincerely Yours
03-07-2016 03:27 PM
WSA will authenticate again if surrogate times out. But it should still be transparent to end user as it needs to re-authenticate the end user. The end user will only receive prompt if authentication is failed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide