Secure Web Gateway (SWG) identifies users and maps them to IP addresses, or to sessions, without using cookies. Based on user identity, SWG assigns the appropriate scheme to each user. A scheme categorizes and filters URLs.
Secure Web Gateway (SWG) does not use Access Policy Manager® (APM®) session management cookies. If presented with an APM session management cookie, SWG ignores it.
User identification configuration requires a method setting in the access profile and an access policy configured to support the setting. Based on user identification, you can determine which scheme to assign in the access policy so that Secure Web Gateway (SWG) filters URLs appropriately.
Depending on the access profile type, you can select one of these user identification methods: by IP address (for SWG-Explicit or SWG-Transparent access profile types) or by credentials (for SWG-Explicit type).
When you identify users by IP address, you can employ any of these methods.
When you choose to identify users by credentials, SWG maintains an internal mapping of credentials to sessions. To support this choice, you need an NTLM Auth Configuration object and you should check the result of NTLM authentication in the access policy.
The F5® DC Agent enables transparent user identification, a best effort to identify users without requesting credentials.
You can install the F5® DC Agent on a Windows-based server in any domain in the network. The F5 DC Agent discovers domains and domain controllers, queries the domain controllers for logon sessions, and sends an IP-address-to-user-name mapping to the BIG-IP® system. F5 DC Agent sends only those new user name and IP address pairs recorded since the previous query. The BIG-IP system maintains user identity information in an IF-MAP server and stores only the most recently identified user name for a given IP address.
You can install more than one F5 DC Agent in your network and configure F5 DC Agents to communicate with the same BIG-IP system.
|Number of users||Average amount of data transferred per day|
|250 users||30 KB|
|2,000 users||240 KB|
|10,000 users||1200 KB|
Error messages from the F5® DC Agent display in the Event Viewer on the Windows-based server where DC Agent is installed.
|Error code||Error message||Possible causes|
|3||Could not configure DC Agent (Code 3)||An attempt was made to install F5 DC Agent using an account that does not have domain and local administrator privileges. As a result, some required files are not installed properly, and F5 DC Agent service cannot run.|
|5||ERROR_ACCESS_DENIED||F5 DC Agent service does not have sufficient permissions to perform required
tasks. This error can occur when:
|53||ERROR_BAD_NETPATH||A network problem prevents F5 DC Agent from contacting a domain controller. This
error can occur when:
|71||System error while enumerating the domain controllers. domain: (****)ecode: 71 : message: No more connections can be made to this remote computer at this time because there are already as many connections as the computer can accept.||The error results from F5 DC Agent automatic domain discovery process, used to identify new domains and domain controllers. It can also occur when F5 DC Agent tries to connect to a Windows XP-based computer that is broadcasting itself as the master browser for a non-company domain or workgroup. Although the issue might indicate a problem with connectivity to the domain controller, it is more likely that the domain is a workgroup with no domain controllers. This error can be ignored.|
|997||Error Code 997||An attempt was made to install F5 DC Agent using an account that does not have domain and local administrator privileges. As a result, some required files are not installed properly, and F5 DC Agent service cannot run.|
|1058||Error Code 1058||This error is seen on startup. A Local Security Policy on the Windows-based server might have disabled the F5 DC Agent service.|