Access Denied (or allowed) on SGOS 5.5.x or 6.1.1.x when ICAP enabled and Auth layer not first layer

Technical Alert

Affected Products

SGOS 6.1.1.x (6.1.1.1 and 6.1.1.3)
SGOS 5.5.x

Overview

When browsing out to sites after upgrading from SGOS 5.4.x to SGOS 5.5 or 6.1.1.x, users are denied access to web resources.
The default policy on the proxy is deny
ICAP feedback is enabled (trickling and patience page)
When the problem happens, the web authentication layer is not the first layer in Visual Policy Manager
The problem does not occur when the web authentication layer is the first layer in Visual Policy Manager
In a policy trace, the allow condition shows up as a n/a because the user has not been identified.

 

Status

The problem has been reported to engineering.  Please see the workaround below.

Resolution
Workaround

To work around the issue, please reorder policy so authentication happens first.  If you use the Visual Policy Manager (VPM), please make sure Web Authentication Layer is the first layer (first tab to the left).  If you are using CPL, make sure the authentication happens first.  This is necessary so the user is identified before any other policy is executed.

Bug Number
InQuira Doc IdTFA50
Attachment

Article Feedback

Did this Article solve your issue?
Additional Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat