Cisco Web Security Appliance

How to configure authentication when using a thin client and citrix server together with the WSA (Web Security Appliance)?

Document ID: 118067

Updated: Jul 24, 2014

Contributed by Jakob Dohrmann and Siddharth Rajpathak, Cisco TAC Engineers.



How to configure authentication when using a thin client and Citrix server together with the Cisco Web Security appliance (WSA)?

Environment: Thin Client -> Citrix -> WSA -> Internet, Cisco Web Security Appliance, All AsyncOS versions

If you setup the WSA in transparent mode:

  • Use 'cookie' surrogate to correctly identify the different users connected to the citrix server and be able to link them to different policies

If you use the WSA in explicit mode:

  • Each browser on the Citrix server will open its own connection to the WSA and authenticate to the proxy separately. So the WSA will be able to distinguish the sessions for each browser.
  • Optionally, you may still configure 'cookie' surrogates to limit the load on the AD server

You can configure 'cookie' surrogates in Identities (GUI --> Web Security Manager --> Identities) and surrogates can be configured per identity.

Additionally, in explicit setup, if the option "Explicit Forward Request: Apply same surrogate settings to explicit forward requests" is un-checked, then WSA will not use any surrogates - meaning WSA will not attempt to cache client credentials.

Updated: Jul 24, 2014
Document ID: 118067