Video Screencast Help

Symantec Web Gateway Policy precedence did not work

Created: 24 Apr 2012 | 8 comments
Muhammad Ishaq Khan's picture

Hi,

In Symantec web gateway have created three security groups at domain controller and we are managing web traffic policies at these groups. We need to block internet for all users who are not part of any of the following three security groups.

  1. Test1
  2. Test2
  3. Test3

I created a policy for all computer at the end of three policies (policies which are for three AD groups). but all computer policy block all traffic for all user event Test1, Test2, and Test3 users.

Kindly guide me

 

Best regards

Ishaq

Comments 8 CommentsJump to latest comment

Muhammad Ishaq Khan's picture

Kindly someone reply back.

regards

Ishaq

Best Regards,                                     &nbsp

SMLatCST's picture

Specifically, can you advise if and how you have setup the SWG authentication?

Presumably, the LDAP part of it must be configured in order to allow you to target LDAP workgroups with your policies, but can you please check:

  • you have a correctly configured Authentication policy
  • that your users actually do authenticate
  • how your SWG authenticates your users (NTLM/DCInterface)

We should be able to better advise you how to investigate once we have more info.

Muhammad Ishaq Khan's picture

Dear SMLatCST,

 

Thanks for your reply, kindly find information below:

- yes we correctly configure authentication policy and only AD use can access internet through proxy.

- AD 2008 is runing.

- We use NTLM authentication.

 

Best regards

Ishaq

Best Regards,                                     &nbsp

SMLatCST's picture

...SWG setup would help?

What do the SWG custom reports say when these users are blocked access?  Does it give you the name of the user that was blocked as well?

BenDC's picture

You would want the AD group policies before the all computer polices the policies are processed in order.

xinetd's picture

i have same problem . i think thins problem is insoluble.

BenDC's picture

Are users actually authenticating? You should be able to see this by running a custom report based on username. If you are unable to run a report based on a username you will need to trouble shoot that.

If username reports do work then you will likely need to look at your policy order and settings.

xinetd's picture

report section does not show anything. ntl and ldap authentication tests was succcesfull.

i changed authentication ttl to 0 and sync frequency to 1 hour. it is sametimes working.  sometimes denied all requests.