Cannot access any SAC segment applications via Cloud SWG
search cancel

Cannot access any SAC segment applications via Cloud SWG

book

Article ID: 259865

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG Symantec ZTNA

Issue/Introduction

SAC enabled with Symantec WSS integration.

SAC segment application configured for Web server IP address.

Users running WSS Agent can connect to Cloud SWG, authenticate with SAML, but cannot reach the Web server via IP address or DNS.

Users get standard browser connectivity error when access SAC segment App.

SAC logs reporting following warning: Username masked for privacy reasons.

"'[email protected]' failed accessing segment application 'WSS-Segment-App-Name'. Authorization for username 'xxxx@yyyy' failed. access denied: request for application access is not authorized"

 

Environment

Cloud SWG integrated with SAC.

SAC and Cloud SWG pointing to the same SAML IDP server.

WSS Agent used to connect to Cloud SWG.

Cause

No matching entity/user assigned to the SAC segment application.

Resolution

Assign the correct entity to the policy assigned to the SAC segment application.

In our case above, the user was logging in to Cloud SWG as [email protected] when this user was NOT an assigned entity on the Application assigned policy.

Adding the correct user as an assigned entity fixed the problem.

 

Additional Information

WSS Agent Symdiag did show that the requests were coming into Cloud SWG correctly via the tunnel interface.

SAC logs reported errors for the segment application as shown below: