If your organization uses an HTTP proxy server between the users and the Identity Awareness Gateway, the Identity Awareness Gateway cannot see the identities of these users. As a result, the Identity Awareness Gateway cannot enforce policy rules based on user identities.
To let the Identity Awareness Gateway identify users behind a proxy server, you can use the X-Forward-For HTTP header, which the proxy server adds.
To do this, you have to:
To configure the XFF header on an Identity Awareness Gateway:
With this option selected, internal IP addresses are not seen in requests to the internet.
The Identity Awareness Gateway will read the XFF header only from the trusted servers.
Note - If this option is disabled, the Identity Awareness Gateway will parse the XFF header only from internal network connections.
To configure the XFF header on the Access Control Policy Layer:
To use Access Roles in the Access Control Policy Layer:
See Identity Awareness in the Firewall Rule Base.
To use one of the advanced options in the Track column:
The Track Settings window opens.
Note - For more information about each available option, click the (?) icon in the top right corner.
Note - Detailed Log and Extended Log are only available, if one or more of these Software Blades are enabled on the Layer: Applications & URL Filtering, Content Awareness, or Mobile Access.