Agent Traffic Manager (ATM) policy does not apply when using an imported AD group in the Cloud SWG Management Portal

Access Method:

• Symantec Enterprise Agent
• WSS Agent
• SEP Tunnel Mode

Authentication:

• Auth  Connector

Hybrid Policy:

• Universal Policy Enforcement (UPE)
• Agent Traffic Manager (ATM)

The manually or imported AD groups in the Cloud SWG portal under the ATM policy are not being honored. The group of interest is validated via the Authentication Connector.

If the AD group is not used in the proxy policy but is used in the ATM policy, there is a disconnect between the UPE proxy policy, the ATM policy, and the group of interest lookup.

The Cloud SWG proxies Security will only check if the user belongs to a group listed in the "group.log_order" condition.

The "group.log_order" gets populated from the rules created with AD groups. In the case of UPE, the policy compiler will only take the groups configured in the MC VPM policy to populate the "group.log_order" condition. Therefore, the we must define a rule (a dummy rule in this case) in their MC VPM with the AD groups.

Create a Web Access Layer:

• Source: AD group object which includes groups used in ATM
• Destination: example.com
• Action: Allow

This way, the Management Center (MC) will push the Group of Interest (GOI) to Cloud SWG (WSS). When the request comes from Cloud SWG to the Auth Connector, the Auth Connector will query only for the group of interest (GOI) and will include these groups. Then, AD should effectively return these groups as well.