05-15-2014 08:01 AM
Hi all,
I configured Ironport S170 Appliance (AsyncOS 7.5.0-833) to join our Domain via LDAPv3 .
Domain is successfully joined, below is the output of testauthconfig command :
Checking DNS resolution of WSA hostname(s)...
Success: Resolved 'ironport02.domain.com' address: 192.168.X.X
Checking DNS resolution of LDAP Server(s)...
Success: Resolved 'forestdc01.domain.com' address: 10.200.X.X
Success: Resolved 'forestdc02.domain.com'address: 10.200..X.X
Checking connectivity of LDAP Server(s)...
Success: Server 'forestdc01.domain.com'responding to queries on port 3268.
Success: Server 'forestdc02.domain.com' responding to queries on port 3268.
Checking the type of LDAP Server(s)...
Success: Able to query server information from 'forestdc01.domain.com'
Success: Able to query server information from 'forestdc02.domain.com'
Checking if Referrals are enabled...
Success: Referral option is disabled.
Attempting to fetch user information...
Success: Able to query for User Information from server 'forestdc01.domain.com'.Number of users fetched: 1000.
Success: Able to query for User Information from server 'forestdc02.domain.com'.Number of users fetched: 1000.
Attempting to fetch group information...
Success: Able to query for Group Information from server 'forestdc01.domain.com'.
Success: Able to query for Group Information from server 'forestdc02.domain.com'.
So i configured an access policy (Named VIP_AD) based on a directory group that allows access to youtube.com website, then i created a test user in my domain who is part of that group. The group is named "Proxy_VIP" .
I tested the access rule using Policy Trace and below is the result :
---------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
As you can see policy trace matches correctly both Group Membership and Access Policy matching.
Unfortunately this don 't happens browsing the internet with the same user and the transaction is blocked :
172.16.X.X "DOMAIN\user.test@DOMAIN.COM" - [15/May/2014:16:49:07 +0200] "GET http://www.youtube.com/" 403 1 TCP_DENIED:NONE 4 BLOCK_WEBCAT_11-Default_AD-UtentiAD-DefaultGroup-NONE-NONE-NONE <IW_vid,-,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_vid,-,"-","-","YouTube","Media","-","-",0.00,0,-,"-","-"> - -
As you can see above Access Policy is not matched correctly.
Any ideas?
Thankyou in advance.
King Regards
05-25-2014 04:37 PM
<DELETED>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide