For performance reasons, IWSVA uses a cache called IP User Cache. This cache associates a client IP address with a user who recently authenticated from that same IP address. Any request originating from the same IP address as a previously authenticated request is attributed to that user, provided the new request is issued within a certain (configurable) amount of time.
The caveat is that client IP addresses recognized by IWSVA must be unique to a user within that time period; therefore, this cache is not useful in environments where users share the same IP address (as seen by IWSVA). In this case, the IP User Cache can lead to an incorrect application of policies and to inaccurate reports. This article explains in which scenarios the IP User Cache is best disabled and describes best practices for configuring IWSVA without it.
The IP User Cache is best disabled in the following scenarios:
- Network Address Translation (NAT) - If users are behind a networking device which uses NAT, they share one source IP address.
- Terminal or Citrix Server - In this case, several users are logged on to the same server and share the same IP address.
- VPN - In this case, users connecting to the network via VPN all have the IP address of the VPN server as seen from IWSVA.
- Downstream proxy - If there is a proxy deployed between IWSVA and the users, for IWSVA, all connections are coming from the IP address of the downstream proxy.
- DHCP - If the client IPs are frequently re-assigned.
As a best practice in these scenarios, Trend Micro recommends disabling the IP User Cache. If it is turned off on its own, though, IWSVA has to authenticate every connection, which will cause a large number of authentication requests. Therefore, users may experience performance issues such as slow browsing or they may receive authentication prompts when accesing the internet.
To offset the impact on performance it is recommended to enable Standard Cookie Mode instead. With Standard Cookie mode, IWSVA will set a cookie on the user's profile once a connection has been authenticated. Subsequent connections from the same user will be authenticated by reading the cookie, thus, reducing the number of authentication requests.
In addition, Transparent Authentication needs to be turned off, otherwise, this would cause every connection to be authenticated as well, thus incresing CPU usage.
To set up IWSVA without IP User Cache, do the following:
- Ensure that Standard Authentication is enabled and configured. This setting can be found on the IWSVA web console under Administration > IWSVA Configuration > User Identification.
- Log on to IWSVA either directly or with SSH as root.
Enable Standard Cookie Mode.
- Open the configuration file /etc/iscan/intscan.ini for editing as described in the KB article: Editing configuration files of Linux-based products.
Look for the parameter "enable_standard_cookie_mode" in the [user-identification] section and changes its value to "yes" so the line looks as follows:
- Save the changes and close the file.
Disable IP User Cache and Transparent Authentiation by entering the following commands:
configure module ldap ipuser_cache disable
configure module ldap trans_auth disable
Run the following command to restart all IWSVA services:This will interrupt the network traffic for a few minutes so plan accordingly