Warning: Late condition guards early action: 'force_protocol()' when a username or group is used as a source condition

book

Article ID: 167729

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You receive a Late condition <condition=your_condition> guards early action: 'force_protocol()'. In the next major release this will be an error warning when you install the policy in the Visual Policy Manager (VPM) when you have a username or group defined in your_condition.

An example of such policy:
<Proxy>
 proxy.port=443 condition=ssl_clients force_protocol(ssl)

define condition ssl_clients
 client.address=10.0.0.0/8
 realm=WinSSO group="CN=Users,DC=kldev,dc=bluecat,dc=com"
end

Explanation

This happens because the force_protocol() action needs to be executed before the username could be determined. Having a username as a condition for force_protocol() is therefore invalid.

force_protocol( )
Specifies that the client connection should be treated as a particular protocol type. The connection will be handled by the appropriate application proxy.
 

Additional Information

1. You may only receive the warning after upgrading from SGOS 5.3 because the guard is added in SG 5.4.
2. This remains true for Windows SSO and Novell SSO despite their usernames/groups can be obtained without the force_protocol() action

Resolution

Remove any username or group conditions from your policy.

In the example above, the correct policy would be :

<Proxy>
 proxy.port=443 condition=ssl_clients force_protocol(ssl)

define condition ssl_clients
 client.address=10.0.0.0/8
end