Access Denied

vaishraj · ‎04-30-2025

We are currently investigating an issue affecting https://www.americanexpress.com, aexp-static.com where users are encountering an access denied error message "You don't have permission to access https://www.americanexpress.com on this server."

There is a possible workarounds for this issue.
Consider bypassing both americanexpress.com and aexp-static.com from the web proxy using external domains management list for roaming and PAC file deployments and bypass the website at Firewall router or other IPSec tunnel devices for tunnel based deployments.

Daniel Bell · ‎05-05-2025

Problem exhibited in Edge, Chrome and Firefox. Test system used to replicate problem is Windows 11 Enterprise.

TaylorSF · ‎05-13-2025

I've been facing the same issue.

Access Denied

You don't have permission to access "http://www.americanexpress.com/" on this server.

Reference #18.783b2f17.1747182159.29b18c2a

https://errors.edgesuite.net/18.783b2f17.1747182159.29b18c2a

rwga · ‎05-20-2025

I added both of those suggested domains to the external domains list but still get the access denied error. Does the endpoint have to be rebooted, or some additional action other than just added those two domains to the external domain list?

Royalty · ‎05-21-2025

@rwga wrote:
I added both of those suggested domains to the external domains list but still get the access denied error. Does the endpoint have to be rebooted, or some additional action other than just added those two domains to the external domain list?

Hi @rwga,

At what time the changes take effect will depend on how you have deployed Umbrella.

If you have implemented Umbrella using the Cisco Secure Client software (recommended) along with the Umbrella module then that is one form of an explicit proxy deployment method. In this deployment, once you configure domains in the 'External Domains' or 'Internal Domains' lists, the changes are replicated to the client between 30 minutes to an hour. You can force a refresh of this configuration and do a manual config re-download by restarting the Cisco Secure Client services (services.msc on Windows). Alternatively, you can just restart the computer which will inherently do the same thing. Otherwise, waiting 30 minutes to an hour is sufficient. Specifically, you only need to restart the Cisco Secure Client - Umbrella Agent service if wanting a faster resolution. It is not necessary (but doesn't really matter if you do) to restart the SWG Agent or the AnyConnect core module. You can verify if changes to the External Domains list have been made by viewing the SWGConfig.json file (the list of exceptions) here on the Windows machine: C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\SWG\SWGConfig.json.

If you are using another form of explicit proxy deployment, like a PAC file, the changes made on Umbrella will be done within a few seconds (almost instant). The changes should appear on the client the next time the PAC file is downloaded. Normally, when browsers are launched they download a PAC file and store the contents in memory, so you may have to restart your browser to force your computer to re-download the file. If this has still not fixed the problem, the Umbrella block page could be caching the site. Again, a reboot would fix this also but not necessary.

If you are using a transparent proxy then the changes will be instant also. Vaishraj mentioned above how to configure this for the IPsec tunnel deployments.

Please let me know if this helped or if any further clarification is needed!

rwga · ‎05-21-2025

@Royalty

Yes, we have "... implemented Umbrella using the Cisco Secure Client software (recommended) along with the Umbrella module...". I got busy with other activities and forgot to test later. It does appear that waiting a length of time or restarting my computer this morning updated the client. I just forgot to come back here and update the thread. This workaround is now allowing endpoints access to the American Express website.

Thanks!!!

Americanexpress.com access denied message for Umbrella SWG

Access Denied