Identifying Users behind an HTTP Proxy Server

If your organization uses an HTTP proxy server between the users and the Identity Awareness Gateway, the Identity Awareness Gateway cannot see the identities of these users. As a result, the Identity Awareness Gateway cannot enforce policy rules based on user identities.

To let the Identity Awareness Gateway identify users behind a proxy server, you can use the X-Forward-For HTTP header, which the proxy server adds.

To do this, you have to:

• Configure the XFF header on the Identity Awareness Gateway
• Configure the XFF header on the Access Control Policy Layer
• Use Access Roles in the Access Control Policy Layer, or use one of these advanced options in the Track column: Log, Detailed Log, Extended Log.

To configure the XFF header on an Identity Awareness Gateway:

1. Log in to SmartConsole.
2. From the Navigation Toolbar, click Gateways & Servers.
3. Open the Identity Awareness Gateway object.
4. In the General Properties page > Network Security tab, make sure that Identity Awareness is enabled.
5. In the left navigation tree, click on the [+] near the Identity Awareness and go to the Proxy page.
6. Select Detect users located behind http proxy configured with X-Forwarded-For.
   • Optional: Select Hide X-Forwarded-For in outgoing traffic.

     With this option selected, internal IP addresses are not seen in requests to the internet.

   • Optional: Select Trust X-Forwarded-For from known proxies only and select the applicable Group object from the drop-down list (you need to configure such Group object in advance).

     The Identity Awareness Gateway will read the XFF header only from the trusted servers.

     Note - If this option is disabled, the Identity Awareness Gateway will parse the XFF header only from internal network connections.

7. Click OK.
8. Install the Access Policy.

To configure the XFF header on the Access Control Policy Layer:

1. Log in to SmartConsole.
2. From the Navigation Toolbar, click Security Policies.
3. In the Access Control section, right-click Policy and select Edit Policy.
4. In the Access Control section:
   • If you already have Policy Layers configured, in the Policy Layer section, click and select Edit Layer.
   • If you do not have Policy Layers configured yet, then:
   1. Click on the plus [+] sign > New Layer.
   2. Configure the layer.
   3. Click OK to close the Layer Editor window.
   4. Click OK to close the Policy window.
   5. In the Access Control section, right-click Policy and select Edit Policy.
   6. In the Policy Layer section, click and select Edit Layer.
5. In the Layer Editor window, go to Advanced page.
6. In the Proxy Configuration section, select Detect users located behind http proxy configured with X-Forwarded-For.
7. Click OK to close the Layer Editor window.
8. Click OK to close the Policy window.
9. Install the Access Policy.

To use Access Roles in the Access Control Policy Layer:

See Identity Awareness in the Firewall Rule Base.

To use one of the advanced options in the Track column:

1. Right-click in the Track column > click More.

   The Track Settings window opens.

   Note - For more information about each available option, click the (?) icon in the top right corner.

2. In the Track field, select one of these applicable options:
   • Log
   • Detailed Log
   • Extended Log

   Note - Detailed Log and Extended Log are only available, if one or more of these Software Blades are enabled on the Layer: Applications & URL Filtering, Content Awareness, or Mobile Access.

3. In the Log Generation section, select one of these applicable options:
   • per Connection
   • per Session
4. Click OK.
5. Install the Access Policy.