Cisco Cisco Web Security Appliance S690 User Guide

Clients on your network use Network Connectivity Status Indicator (NCSI) 

Web Security appliance uses NTLMSSP authentication. 

Identification Profile uses IP based surrogates

A user might be identified using the machine credentials instead of the user’s own credentials, and as a 
result, might be assigned to an incorrect Access Policy.

Workaround:

Reduce the surrogate timeout value for machine credentials.

Use the advancedproxyconfig > authentication CLI command.

Enter the surrogate timeout for machine credentials. 

The Policy Trace Tool can emulate a client request and then detail how the Web Proxy processes that 
request. It can be used to trace client requests and debug policy processing when troubleshooting Web 
Proxy issues. You can perform a basic trace, or you can enter advanced trace settings and override options. 

When you use the Policy Trace tool, the Web Proxy does not record the requests in the access log or 
reporting database.

The Policy Trace tool evaluates requests against polices used by the Web Proxy only. These are Access, 
Encrypted HTTPS Management, Routing, Data Security, and Outbound Malware Scanning polices. 

SOCKS and External DLP polices are not evaluated by the Policy Trace tool.

You can use the CLI command 

maxhttpheadersize

 to change the maximum HTTP header size for proxy 

requests. Increasing this value can alleviate Policy Trace failures that can occur when the specified user 
belongs to a large number of authentication groups, or when the response header is larger than the current 
maximum header size. See 

 for more information 

about this command.