Technical Alerts

Access Denied (or allowed) on SGOS 5.5.x or 6.1.1.x when ICAP enabled and Auth layer not first layer

Technical Alerts ID:    TFA50
Version:    3.0
Status:    Published
Published date:    11/11/2010
Updated:    11/12/2010

Affected products and versions

SGOS 6.1.1.x ( and
SGOS 5.5.x

Problem description

When browsing out to sites after upgrading from SGOS 5.4.x to SGOS 5.5 or 6.1.1.x, users are denied access to web resources.
The default policy on the proxy is deny
ICAP feedback is enabled (trickling and patience page)
When the problem happens, the web authentication layer is not the first layer in Visual Policy Manager
The problem does not occur when the web authentication layer is the first layer in Visual Policy Manager
In a policy trace, the allow condition shows up as a n/a because the user has not been identified.



The problem has been reported to engineering.  Please see the workaround below.


To work around the issue, please reorder policy so authentication happens first.  If you use the Visual Policy Manager (VPM), please make sure Web Authentication Layer is the first layer (first tab to the left).  If you are using CPL, make sure the authentication happens first.  This is necessary so the user is identified before any other policy is executed.

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.

Your response will be used to improve our document content.

Ask a Question