When you create a policy for an user group to access a web service, you may find that you are not ableĀ Our customer was not able to access it. However, However, it works just fine when you configure a single user to access the web service.
The on-screen error reads:
This site can't be reached
The webpage at https://xxx.xxx.xx.xxx/ might be temporarily down or it may have moved permanently to a new web address.
In your Session log you will see this:
PAM-CMN-1043: CA PAM denied web portal HTTPS's connection to host 172.16.244.33 because it does not match an entry in the web portal's access list.
The access list in TCP/UDP service is empty (by default). As long as the policy is defined with individual user, the access is allowed with empty access list but PAM mandates the access list when user group is associated with the policy.
PAM 3.x
Add * in the access list on the web portal service page.