You can now implement user identity-based visibility and control using security policies for undecrypted HTTPS traffic when a user or system authenticates using Kerberos. In addition, administrators no longer need to configure Trusted Source Addresses when configuring Kerberos authentication for undecrypted HTTPS traffic. This ensures consistent user visibility and policy enforcement for all HTTP(S) traffic even in cases when client IP addresses change, such as if your branch employs dynamic egress IP addresses.

Formerly, you could authenticate decrypted and undecrypted traffic, but could only enforce user-based controls for decrypted HTTPS traffic. With this new feature, all HTTP-based traffic (undecrypted HTTPS, decrypted HTTPS, and HTTP traffic) can authenticate and undergo user-based controls.

Additionally, to allow undecrypted HTTPS traffic, users or systems had to come from static IP addresses configured as Trusted Source Addresses. With this feature, that is no longer necessary, which simplifies initial configuration and supports the use case in which your branch locations have dynamic IP addresses.