We have set up web hybrid, and the policies for username and is working. However when I set group based policy it doesn't work.
Please help out here.
Would moving this discussion to *Web Gateway* give your discussion better exposure/assistance?
If that is the case,I can move it to that area for you.
If you add the group property to the block page, what does it show? If you see groups, do they match what you have in your rules?
Can you give an example of what you have in your rules? (e.q. "Internet Users" or maybe "mydomain\Internet Users")
we have tried modifying the rule use <domain>\<group name>, \<groupname>, and simply group name, as what we see on the clinet machine using whoami\ groups but no change in the behaviour.
Please let me know how we can check on if the MCP client is sending the required group information to the filtering service.
In my setup, we also saw this issue momentarily but it was because of how the group names are sent by MCP. They're seen just as you would see them if you ran gpresults /z at cmd. So for our domain 'WGL', we had to use WGL\Marketing as the criteria to look for instead of just Marketing. If you look at a Rule Trace and the Properties tab, you'll see how that information is presented to MWG.
The MCP user in our case is ridirecting to cloud web gateway and unfortunately we no rule trace engine utility to run there. however as said we have tried various combinations as we see using whoami command, but no change in the behaviour.
What does it show on the block page though? Were you able to add the groups property so you can see it? You dont need rule tracing if we can do this.
Thanks for the clue. I modified the Block page for the particular policy to show the groups MCP is carrying, copied the groups as it is, and pasted the details in the rule.
Also modified the rule. Earlier the rule was set as if the authentication.group and url.category is inlist then stop rule set, which was then modified as
authentication.group and url.category is not in list then Block.
It worked fortunately. Thanks again.