Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Log shows IP address instead of user name in InterScan Web Security Virtual Appliance (IWSVA)

    • Updated:
    • 10 Apr 2017
    • Product/Version:
    • InterScan Web Security Virtual Appliance 6.0
    • InterScan Web Security Virtual Appliance 6.5
    • Platform:
    • Virtual Appliance 4.1
    • Virtual Appliance 5.1
Summary

The logs (e.g. Internet Access logs) on InterScan Web Security Virtual Appliance (IWSVA) console show the traffic logged under the IP address of a client computer, instead of the user name.

Internet Access log

Details
Public

In order for the user name to appear in the logs, implement the following prerequisites:

  • User Identification needs to be enabled, configured, and working properly.
  • In WCCP mode, the IP user cache needs to be enabled.

Even when the prerequisites are met, there are several scenarios wherein the traffic still appears under the IP address:

Scenario 1

The IP address of the client computer is on the LDAP Authentication Whitelist. No user identification will be done for IP addresses on this list. To access the said list, navigate to Administration > IWSVA Configuration > User Identification > Authentication White list.

Scenario 2

The IP address of the client computer is on the Approved Server IP List. No user identification will be done for IP addresses on this list. To access the said list, go to IWSVA web console and navigate to HTTP > Configuration > Access Control Settings > Approved Server IP List.

Scenario 3

The accessed URLs are HTTPS websites and IWSVA cannot get the user from the traffic because it is encrypted. This scenario happens in the following circumstances:

  • HTTPS encryption is enabled, but not applied to the category to which the URL belongs. Decryption needs to be enabled for individual category on each HTTPS decryption policy.
  • The URL is on the list of Global Trusted URLs. This list can be accessed from the IWSVA web console under HTTP > URL Access Control > Global Trusted URLs.

Scenario 4

The traffic is not coming from a browser, but from some application (e.g. WebEx client). By default, IWSVA does not authenticate non-browser traffic. Therefore, the user cannot be identified.

To change the behavior of IWSVA to authenticate traffic from non-browser applications, refer to this article: Authenticating all HTTP sessions including non-browser applications in InterScan Web Security Appliance (IWSVA).

Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1102721
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.