I have long-lived connections that were already allowed by policy rules, yet were denied when I installed policy (regardless of the change).
When you install policy with the VPM, the policy engine re-evaluates existing and previous allowed transactions to ensure policy integrity during the prosessing. This re-evaluation might deny exisiting connections if the associated condition is changed. However, even if you install policy on VPM without any changes, the similar issue might occur if the policy layers order is not optimal.
This problem only occurs only when:
SOLUTION:
Reordering the Policy Layer.
In this example, a Web Access Layer with user-group source condition is located before the Web Authentication Layer.
With this layer order, the already-allowed transaction is denied when ProxySG re-evaluates the existing transactions.
<Proxy> ALLOW condition=__GROUP1 <Proxy> authenticate(iwa) authenticate.force(yes) authenticate.mode(proxy) <Proxy> trace.request(yes) trace.rules(all) trace.destination(test) <Proxy> ALLOW condition=__GROUP1 service.name="Explicit HTTP" FORCE_DENY
If the order is corrected and if the Web Authentication Layer is located before the Web Access Layer in the policy layer order, the already-allowed transactions are not denied.
<Proxy> authenticate(iwa) authenticate.force(yes) authenticate.mode(proxy) <Proxy> ALLOW condition=__GROUP1 <Proxy> trace.request(yes) trace.rules(all) trace.destination(test) <Proxy> ALLOW condition=__GROUP1 service.name="Explicit HTTP" FORCE_DENY ; Definitions define condition __GROUP1 realm=iwa group=COMPNET\almas_group end