How to configure authentication when using a thin client and Citrix server together with the Cisco Web Security appliance (WSA)?
Environment: Thin Client -> Citrix -> WSA -> Internet, Cisco Web Security Appliance, All AsyncOS versions
If you setup the WSA in transparent mode:
Use 'cookie' surrogate to correctly identify the different users connected to the citrix server and be able to link them to different policies
If you use the WSA in explicit mode:
Each browser on the Citrix server will open its own connection to the WSA and authenticate to the proxy separately. So the WSA will be able to distinguish the sessions for each browser.
Optionally, you may still configure 'cookie' surrogates to limit the load on the AD server
You can configure 'cookie' surrogates in Identities (GUI --> Web Security Manager --> Identities) and surrogates can be configured per identity.
Additionally, in explicit setup, if the option "Explicit Forward Request: Apply same surrogate settings to explicit forward requests" is un-checked, then WSA will not use any surrogates - meaning WSA will not attempt to cache client credentials.