Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1470
Views
0
Helpful
2
Replies

Why am I not matching an access policy?

keithsauer507
Level 5
Level 5

‎07-13-2016 05:48 AM

Were using a windows active directory and CDA together to match the AD username to their workstation.  We have access policies that work top down (least to most restrictive) and everyone who is supposed to have access to a privileged site is having a problem.

An example is that my AD username is in AD group Information Technology.  In our second Access policy from the top it clearly shows Realm: windows, DOMAIN\Domain Admins, DOMAIN\Information Technology.

The policy is enabled.  It has access granted to file transfer service hightail/yousendit.  However when I try to go to www.hightail.com its blocked with this block page:

Blocked Site:www.hightail.com
Blocked Category:File Transfer Services
User:DOMAIN\sauerk@windows
User Group:OTHER-NONE-Authenticated_Users-DefaultGroup-NONE-NONE-DefaultGroup

When I do a policy trace it correctly identifies my user name and all my Active Directory memberships.  Then the rest seems like for whatever reason its dropping me down in the global policy which would block a privileged site like this as a last resort.

URL Check
WBRS Score: -0.3
URL Category: File Transfer Services
Scanner "AVC" Verdict (Request): HighTail/YouSendIt (File Sharing)
Scanner "Webroot" Verdict (Request): Unknown
Policy Match
Cisco Data Security policy: None
Decryption policy: None
Routing policy: Global Routing Policy
Identification Profile: Authenticated_Users
Access policy: (null)
Final Result
Request blocked
Details: Gateway timeout
Trace session complete

So the only way around it is to forcefully type https:// in front of the URL since our WCCP config from our firewalls is not doing anything with port 443, https filtering at the moment due to the numerous things it would break without surgically configuring that at another time (on our roadmap eventually).

Labels:
0 Helpful
2 Replies 2

Handy Putra
Cisco Employee
Cisco Employee

‎07-13-2016 05:04 PM

From the policy trace provided, looks like it is block due to "Gateway Timeout" and when it is getting gateway timeout, normally it has not hit the access policy yet.

Scenarios that normally getting gateway timeout:

- either WSA received the request and send the request out however never receive any response back.

- if you have L4TM enable, could be block by L4TM.

Below link is useful for gateway timeout descriptions:

http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118079-troubleshoot-wsa-00.html

Would suggest to run packet capture from client machine (using wireshark) and at the same time run packet capture from WSA with client and server side connections so you can see how the WSA behave when receive request from client and how it pass that request to go out.

0 Helpful

Tao Yang
Cisco Employee
Cisco Employee

‎07-13-2016 05:49 PM

Blocked Site:www.hightail.com
Blocked Category:File Transfer Services
User:DOMAIN\sauerk@windows
User Group:OTHER-NONE-Authenticated_Users-DefaultGroup-NONE-NONE-DefaultGroup

 "User Group" information looks weird in your attached block page. Is your access policy based on AD user or AD group? If it is based on AD group, would you please create a test access policy only based on AD user to narrow down this issue?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents