Cisco Cisco Web Security Appliance S670 Informationshandbuch
How to configure authentication when using a thin
client and citrix server together with the WSA (Web
Security Appliance)?
client and citrix server together with the WSA (Web
Security Appliance)?
Document ID: 118067
Contributed by Jakob Dohrmann and Siddharth Rajpathak, Cisco TAC
Engineers.
Engineers.
Jul 24, 2014
Contents
Question:
Question:
How to configure authentication when using a thin client and Citrix server together with the Cisco Web
Security appliance (WSA)?
Security appliance (WSA)?
Environment: Thin Client −> Citrix −> WSA −> Internet, Cisco Web Security Appliance, All AsyncOS
versions
versions
If you setup the WSA in transparent mode:
Use 'cookie' surrogate to correctly identify the different users connected to the citrix server and be
able to link them to different policies
able to link them to different policies
•
If you use the WSA in explicit mode:
Each browser on the Citrix server will open its own connection to the WSA and authenticate to the
proxy separately. So the WSA will be able to distinguish the sessions for each browser.
proxy separately. So the WSA will be able to distinguish the sessions for each browser.
•
Optionally, you may still configure 'cookie' surrogates to limit the load on the AD server
•
You can configure 'cookie' surrogates in Identities (GUI −−> Web Security Manager −−> Identities) and
surrogates can be configured per identity.
surrogates can be configured per identity.
Additionally, in explicit setup, if the option "Explicit Forward Request: Apply same surrogate settings to
explicit forward requests" is un−checked, then WSA will not use any surrogates − meaning WSA will not
attempt to cache client credentials.
explicit forward requests" is un−checked, then WSA will not use any surrogates − meaning WSA will not
attempt to cache client credentials.
Updated: Jul 24, 2014
Document ID: 118067