Surrogate IP example

Hello Community,
I went over the documentation about Surrogate IP and could not think of a scenario where that will be absolutely necessary (because I did not understand it 100%), wondering if someone could help me.

Could anyone provide a concrete example of when Surrogate IP is the only option to go?

Hi Xavier,

  • Applications that do not support cookies, such as Google Earth and Skydrive
  • HTTPS transactions that are not decrypted
  • Transactions that use unknown user agents

If the applications doesn’t carry cookies , the user info cannot seen at Zscaler end when the traffic reaches to service edge. So user based / group based policies cannot enforce. In this situation IP surrogacy will map the username (when the user authenticate at least once ) and private IP address for certain period of time.

Even request is coming without the username from the IP address will consider as the user who is authenticated at least once for the duration configured under IP surrogacy. So the user based policies will be applicable for those traffic like Google Earth or Skydrive.

Ramesh M

1 Like

Thank you Ramesh! I have a concern, if I am not using SSL Decryption, then I am not going to be able to create policies based on usernames unless I enable IP surrogate??

(* HTTPS transactions that are not decrypted)