Cisco Cisco Web Security Appliance S170 사용자 가이드

When the appliance uses cookie-based authentication, the Web Proxy does not get cookie information 
from clients for HTTPS and FTP over HTTP requests. Therefore, it cannot get the user name from the 
cookie. 

HTTPS and FTP over HTTP requests still match the Identification Profile according to the other 
membership criteria, but the Web Proxy does not prompt clients for authentication even if the 
Identification Profile requires authentication. Instead, the Web Proxy sets the user name to NULL and 
considers the user as unauthenticated. 

Then, when the unauthenticated request is evaluated against a policy, it matches only a policy that 
specifies “All Identities” and apply to “All Users.” Typically, this is the global policy, such as the global 
Access Policy.

Clients on your network use Network Connectivity Status Indicator (NCSI) 

Web Security appliance uses NTLMSSP authentication. 

Identification Profile uses IP based surrogates

A user might be identified using the machine credentials instead of the user’s own credentials, and as a 
result, might be assigned to an incorrect Access Policy.

Workaround:

Reduce the surrogate timeout value for machine credentials.

Use the advancedproxyconfig > authentication CLI command.

Enter the surrogate timeout for machine credentials. 

You can use the CLI command 

maxhttpheadersize

 to change the maximum HTTP header size for proxy 

requests. Increasing this value can alleviate Policy Trace failures that can occur when the specified user 
belongs to a large number of authentication groups, or when the response header is larger than the current 
maximum header size. See 

 for more information 

about this command.

This is a KVM issue and may change at any time.