09-05-2025 03:28 AM
Hello Fellow networkers!
I am facing the problem, that I have my friends the old remote domain: olddomain.local . 
They are so nice, because they trust me and want to use my fancy Cisco WSA Proxies (running 12.5 and 14.0). 
But my domain is joined to our new shiny domain: newdomain.business .
My other friends who are managing servers, already did the trust between the domains (two way).
However, when the friends from olddomain.local wants to access something on the internet - that should be allowed based on the category and the AD-group membership, it denies them. 
I have added the AD-group olddomain.local\Internet to the Access-policy by typing it in simpy (Trusted domain lookup was not really working.)
We also tried to add the AD-group olddomain.local\Internet to add the AD-group newdomain.business\Internet, but the access is still denied. 
What is puzzling me though, when I check the logs, the ad_group_memberships = said "olddomain.local\Internet" (now it says: olddomain.local\Internet, newdomain.business\Internet ).
Oh and it also sees the user: OLDDOMAIN\MyFriend .
So my understading is that it can see the Group membership, but something is missing in the Access-Policy?
Or is it the other way around?
Maybe someone has more understanding about the topic?
Thank you for the help! 
09-05-2025 04:01 AM
We also tried to add the AD-group olddomain.local\Internet to add the AD-group newdomain.business\Internet, but the access is still denied. this is depends on how the policy setup, go to command level and check the Logs what is the reason its denied access.
Login to command level
> tail
> 1 for access logs
follow the guided steps, you can add username or regex where the username denied and check the logs, what policy it hitting and denied to give you direction.
some reference (i am sure you already setup done this)
09-05-2025 04:39 AM
Thanks for the answer! 
I have this for example: 
Sep 5 10:54:44 superproxy.noc accesslogs: Info: 1757062474.715 8 172.25.20.172 NONE/503 0 CONNECT tunnel://internet.com:443/ "OLDDOMAIN\MyFriend@LOCALDOMAIN" NONE/internet.com - DECRYPT_WEBCAT_7-DP.BlockAny-ID.WEB.LocalAD-NONE-NONE-NONE-DefaultGroup-NONE <"nc",ns,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"nc",-,"-","-","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-,-> - - transaction_id = 949790, http_user_agent = -, ad_group_memberships = "olddomain.local\Internet,newdomain.business\Internet", auth_mechanism = NTLMSSP [ tx_1st_byte_to_server = 0, tx_request_header = 0, tx_response_header = 0, tx_client_body = 0 ] [ rx_1st_request_byte = 0, rx_request_header = 0, rx_client_body = 0, rx_1st_response_byte = 0, rx_response_header = 0, rx_server_response = 0, rx_disk_cache = 0, rx_auth_response = 8, rx_dns_response = 0, rx_wbrs_response = 0, rx_avc_response = 0, rx_avc_total = 0, rx_dca_response = 0, rx_dca_total = 0, rx_mcafee_response = 0, rx_mcafee_total = 0, rx_sophos_response = 0, rx_sophos_total = 0, rx_webroot_response = 0, rx_webroot_total = 0, rx_anti_spyware_response = -, rx_Latency = 8 ] local_time = "05/Sep/2025:10:54:34 +0200"
09-07-2025 12:10 PM
NONE/503 0 CONNECT tunnel://internet.com:443/ "OLDDOMAIN\MyFriend@LOCALDOMAIN" NONE/internet.com - DECRYPT_WEBCAT_7-DP.BlockAny-ID.WEB.LocalAD-NONE-NONE-NONE-DefaultGroup-NONEthis provide you information what need to done,
The NONE/503 code in Cisco WSA logs means the WSA failed in the HTTP CONNECT tunneling process to the HTTPS site.
The user context OLDDOMAIN\MyFriend@LOCALDOMAIN shows the authenticated user for whom the request was processed.
The policy tag DECRYPT_WEBCAT_7-DP.BlockAny-ID.WEB.LocalAD indicates the proxy applied a Web Categorization (WebCat) and decryption policy that likely blocked the request based on security rules.
this may required some troubleshoot and understand the rules.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide