According to Cisco best practice we enabled user authentication caching surrogates on our WSA's based on IP addresses. This doesn't work for user that browse the Internet from a Citrix or Direct Access session as multiple users are using the same IP ...