anyone here experienced this kind of dilemma?
after upgrading to new ironport web filter - version 6.3 it takes time to query the ldap.
this means, if a user gets created via AD and added to a particular group (e.g with-access-internet) when tested, it will fall to the global policy - denied
identity is being matched properly except for the access policy as a result of policy tracing
after 24 hours it appears to be working.
i talked to some support but it seemed they're having hard time figuring out.