Some of our AD groups contain other AD groups and LDAP membership checks don't appear to pick this up?
Eg, if I am a member of GroupA and GroupA is a member of GroupB - then there is an outgoing mail policy looking for the sender to be a member of GroupB, it will not trigger when I send an email. If I'm a member of GroupA and GroupB, then it works.
If this something that can be changed or will I have to unravel the groups I want to check against?
Great Post AndrewR. I have been working on this issue for a while now and have not found a way to accomplish this either. IronPort Support has indicated that it is not possible and that they are working on it. I can make it work from a Linux box with no problems but have not been able to make it work with IronPort. The work around that I used was in the Mail Policy just add a query for Group A and another one for Group B. I would think that this causes LDAP queries to double but thus far has worked OK.
Yeah, that's basically the conclusion I came to as well - I opened a support ticket and from the output I sent they have said that we're hitting a recursion limit..! Quite why the limit is set at 1 I don't know :)
Basically we're now checking for Group A and B, like you say. Shame, but it works
AndrewR, JMeyer5241, this is very surprising but seems to be the reality. I have run into the same problem as well !
Group membership via LDAP browsers or Linux box is working fine but IronPort doesn't seems to be able to see membership from nested groups.
Have you got other solution to this than creating separate queries to different groups ?
A side note. I have 5 different AD groups in mail policies, those are working just fine. Each of those groups will get 5 new nested groups at Monday. After initial tests and quick calculations I'm afraid that I'll have a headache size of Universe at Monday morning :?
I'm more than thankful if you have any updated in this case !
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :