Access Denied (or allowed) on SGOS 5.5.x or 6.1.1.x when ICAP enabled and Auth layer not first layer

<< Back to Knowledge Search

Technical Alert

Affected Products

SGOS 6.1.1.x ( and
SGOS 5.5.x


When browsing out to sites after upgrading from SGOS 5.4.x to SGOS 5.5 or 6.1.1.x, users are denied access to web resources.
The default policy on the proxy is deny
ICAP feedback is enabled (trickling and patience page)
When the problem happens, the web authentication layer is not the first layer in Visual Policy Manager
The problem does not occur when the web authentication layer is the first layer in Visual Policy Manager
In a policy trace, the allow condition shows up as a n/a because the user has not been identified.



The problem has been reported to engineering.  Please see the workaround below.


To work around the issue, please reorder policy so authentication happens first.  If you use the Visual Policy Manager (VPM), please make sure Web Authentication Layer is the first layer (first tab to the left).  If you are using CPL, make sure the authentication happens first.  This is necessary so the user is identified before any other policy is executed.

Bug Number
InQuira Doc IdTFA50

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Software      SGOS 5.5, SGOS 6.1
Article Number      000007525
Was this helpful?
Previous MonthNext Month