Virtual Secure Web Gateway

HI, 

I am trying to allow few of my managers to access the internet without blocking any thing. When i give the LADP ID it takeas too long or currently not taking any effect. I added a security group and added it to the allowed list . Wated for a more than 8 hours but the user was un able to access the sited. Then i had to add the ip and the user was allowed to access the sites. Please let me know if any one can help me. 

Hi - I'm going to assume that authentication is all working properly.  The easiest way to test that is to create a policy for a specific user and see if that takes effect, or check custom reports for 'user name' and see that that field is populated.

If authentication is correct, then we're looking at the LDAP lookup itself.  When you say 'added a security group' do you mean you created a new group within AD itself and then added a new user to that?  If so, then you need SWG to sync with your AD a bit sooner.  The default setting is sync once per week, but you can change this to as much as once per hour.  You can also force a sync of a specific user on the top right of that user's User Report.

Please feel free to also open a ticket with Support if you want someone to walk you through these troubleshooting steps.

thanks. 

But i cant find any sync option on top right of users usage report. Please attach a screen shot. You are correct about the security group. I have a new security group and i just need to add a user to it and expect the user to gain access. 

I have already did the new group activity but it was not sucessfull. 

On the Web Gateway interface under Reports, click the Search option, from the drop down select the user or search for the users name.  Once the users report comes up, it's actually a button called 'Refresh' in the top right hand corner of the page that should refresh the LDAP attributes associated with the user.

Kevin

Ok .. I got that. 

But What about the behaviour of SWG . Suddenly it stops a user and then i have to add IP then it works. Any one have why is that. 

...as follows:

Sergi and Kevin are hoping to determine if the LDAP lookups are working correctly to help you troubleshoot.  

After hitting the "refresh" button as directed by Kevin, the SWG should actually display a whole lot more information regarding the user, including the groups this user belongs to.  What you're looking for, is to find out if the SWG is able to see the user as belonging to the group you tried to allow out, in accordance with your opening post?

If the SWG is able to correctly see this user's membership to the group, then it might be worth testing out your original policy again, or testing with a new policy applying to the target AD group.

Going back to the first post, I don't see any information about the SWG suddenly stopping a user.  Can you elaborate please?

• I have user1, user2.  User1 members of a security group which is already added to SWG allow all policy.

• Suddenly user1 is blocked to access the internet and get a SWG screen. Then I remove the user from the security group and add the LDAP id directly to Allow allpolicy. Nothing happens.

• Then I add user 2  to the same group and the users is allowd to internet immediately. 

• To allow the user 1 i had to add his IP then the user is allowed to access the internet. 

• This behaviour is not logical nor acceptable. 

...can you let us know what the results of the LDAP test (as per Kevin's instructions) for user1 were?  Is the SWG able to successfully retrieve the group information, and is it picking up this user's membership to group that is allowed out?

If the SWG is successful enumerating the user's groups (and as the policy appears to be working correctly for this group in general as user2 is working) then if you could also advise what client machines your users are working from.

OS's and browser would be a handy.  Also, regarding your tests for user1 and user2, were these on the same client machine?

LADP is sync ok. I get the user information and group information. But Once a user is blocked the other thing i tested was i added an other user to the policy and it worked without any issue. But when I add the user who was blocked SWG still blocks him. We are using Windows XP sp3 and in a few cases Win7. And IE 7. the machine may be different. One is a notebook and other is a dektop machine. 

Is the blocked user working on the Win7 machine by any chance?

There are certain changes that need to be made to Win7 to get it to authenticate to the SWG, can you confirm if these have been done?  Details can be found in the Implementation Guide.

Both Win XP and Windows 7. I have many windows 7 clients and all are working fine.

Your AD security-group-based policies are working fine for ALL other users except User1, and the issue follows User1 around no matter which machine he logs onto?

As a test, if you were to create a copy of User1 within AD, does this new test account behave the same way?

The issue came with few random users but since the version update I have not got any issues. 

Thanks a lot for your help

Hi, 

I got the same issue with another user. I had to add the IP of the client computer to allow it. The new version does not work....