ProxySG & Advanced Secure Gateway

I am trying to have entries in the user login table removed.   We have a virtual desktop environment and when a person logouts out (gracefully or not) the entry in the proxy table remains.  It is easy for someone else to login to the same machine and if the entry remains in the proxy they have access to the Internet under someone elses ID.   We are using LDAPS.

This article is close, but I want to send a request to logout all entries from a particular IP address.

https://support.symantec.com/en_US/article.TECH242127.html

Is there a way to do this?

Hi Rob,

                       By mentioning that a user could continue to get the same access as previous user, I am assuming that you are using IP-Surrogate mode of authentication like “Proxy-IP or Origin-IP-Redirect”. For shared environment, this is always a problem and shouldn’t be used. You can read this at https://support.symantec.com/en_US/article.TECH240883.html . The article you have shared is for different purposes like a second login from the same user on a different ip address etc. This will not be applicable to you as proxy’s surrogate is the problem. Using respective session based authentication is best to deal this issue.

We are using "form IP redirect".   I'm not the person that configured the proxies, so I'm learning.

The client IPs are never shared.   It is a virtual desktop environment, but it would be the same with a desktop.  The first user uses the desktop and authenticates through the proxy to use the Internet.  The first users credentials are now in the proxy LDAP authentication table.    The first user logs off the desktop.   Subsequently, a second user logs into the same desktop.  If this is done prior to the LDAP inactivity timeout on the LDAP general tab, then the second user doesn't need to authenticate and appears as the first user in the logs.  It would be nice to either clear the entry in the table for the user/IP upon logout or login to the desktop. 

We previously used cookie based authentication, but found the browsers were very inconsistent and didn't provide the cookie in every GET which led to a lot of exceptions being required and many pages not rendering properly when a style sheet was not downloaded in a timely manner.

Hi Rob,

                 Form-ip is again an IP surrogate mode of authentication. There is no mechanism for the client machine to let the proxy know that the user is logging out or a new user is logging in. Proxy will only know about this when an authentication is attempted. Since there is no way the proxy knows that a user-logged out, clearing the table automatically is not possible. You can logout users manually but that would be a pain to deal with. Also by Shared Environment, I mean that a User IP can be used by multiple personal even though they are not logging in at the same time.

Hi Rob

I havent tested the following and I am just brain storming so please forgive me if this doesn't work.

May be slightly over engineered but would it be possible to execute a script upon a user logging out of a machine. 

The script could then fire off a request to the proxy to a URL such as http://<Proxy-Hostname>/log-out-current-user

In your proxy, you would create a new layer with a single rule that goes as follows:

Layer Type: Web Access Layer

Source: Any

Destination: Request URL - <proxy-hostname>/log-out-current-user

Service: Any

Time: Any

Action: Logout User

Track: None

Apply the policy and you should be able to test.

Do so by first logging into a machine and browsing to a few sites after logging like you normally would.

Then navigate to http://<Proxy-Hostname>/log-out-current-user

Following this then try to browse the internet again. What we are hoping for here is that you have been removed from the list and that you are then prompted to log in again. Note - You may need to add the "log Out" URL to an Authentication Bypass list. 

If the above works as expected, you would then have your script that fires on log out hit this URL as the user logs out thus freeing up the IP for the next user.

Let me know how you get on.

Kind Regards

Sean Doggett

Sean,

Thanks for your suggestion.  I have received the same suggestion from my SE.    Initial testing has it working, but I am working on a way to automate it which is more of a desktop issue.   Windows Powershell 3.0 has an invoke-webrequest, but we have powershell 2.0.   Desktop team is creating an image with 3.0 and we will test.   Performing it at logout or login or at machine reboot are all possibilities.

The input received from the SE said that the CPL must be used.  I didn't try all combinations, but it appears that this might be true.   Inconsistent behaviour based on the URL, but it is working.  I have entries in the web access layer and the CPL.   Also, have bypassed authentication for the URL.

<proxy>

  url="http://company.com/log_out.html" user.login.log_out(yes)

I will post the final solution if we get it working.

Thanks again,

Rob

Gentlemen,

Is the following CPL not an option .. in a shared environment .. WIFI + LAN ... to auto-logout somebody authenticating with a new IP (proxy-ip surrogate) ?

<proxy>

user.login.count=2.. user.login.log_out_other(yes)

Regards,

Vincent

Vincent,

That is correct, but only logs out the previous entry when a new login occurs.

If someone logs out of a desktop another users logs into it (windows desktop), the record in the proxy does not get updated and the new user can send traffic through the proxy without having to log into the proxy.   The new users traffic is logged with the first users name. 

If only tracking users by IP there is no way to know the user has changed.

Rob

Hi Rob

Always good to have a brainstormed solution confirmed by an SE :D

Very good information regarding the difference between Powershell 2.0 and 3.0. I imagine this is not the first time this requirement has come up and certainly won't be the last so is a great reference for future onlookers.

Regarding running on Login/Logout, it may be a good idea to in fact do both! Doing so on Login would account for any Hard Power off of a client machine which has skipped the log out process. Doing so on log out just sounds like a good idea to clear the proxy of unused surrogates.

One other thing worth perhaps doing is also omitting requests to the log out url from your access logs. If you are sending requests there on both login and logout you can save yourself a lot of unnecessary log lines.

This would make your CPL look as follows:

<proxy>

  url="http://company.com/log_out.html" user.login.log_out(yes) access_log(no)

Kind Regards

Sean Doggett

Hi Sean,

This is running in a VDI environment where the virtual machines reboot when a user logs out.  So, the safest place to run this is during the bootup of the machine with no ties to the user login or logout.   That said, if the overhead of running this is minimal and doesn't impact the user experience, then I agree, we should run it during logout and maybe even login as well.

Powershell 3.0 is availble to install for most Windows platforms, but Windows 7 uses 2.0 by default. 

Omitting the entries from the log is a good idea.  One that I should review for some other traffic as well.

Cheers,

Rob