Cisco Cisco Web Security Appliance S670 문제 해결 가이드

Contributed by Cisco TAC Engineers.

Oct 13, 2014

Why does traffic from Windows 7 / Vista clients show workstation instead of user in the access logs?

Microsoft Windows 7, Microsoft Windows Vista, Cisco Web Security Appliance (all versions), Surrogate
Type: IP address

Certain log lines in the access logs are showing the computers machine name, instead of DOMAIN\USER.

Microsoft introduced a new feature into Windows 7 and Windows Vista called "Network Connectivity Status
Indicator"(NCSI), which shows up as a little globe icon that appears over the network interface icon in the
system tray. Immediately after login, this feature will attempt to request data from the Internet in order to
know if there is Internet connectivity.

There are known issues with NCSI, where it will send machine credentials instead of user credentials when
NTLM authentication is required.

Since NCSI is most likely to send the first request from a PC to the WSA, no surrogate exists yet and a new
IP−based surrogate with the machine name instead of the actual user name is created. This surrogate is used
for every request from the initial IP address until the surrogate times out and the user has to re−authenticate,
this time with real credentials.

Since the machine name is most probably not a member of the initially intended AD group all requests will
not trigger the correct Access/Decryption Policy, sometimes resulting in the request being blocked.

For more information regarding NCSI, please see the following Microsoft KB article.

Please see the instructions below to workaround the issue: