We're using the McAfee WebGateway 6.8.6 (build 6257).
When a user want to use the Internet (configured with the webgateway a proxy) he get the following message.
ICAP Server Communication Problem
Received an ICAP communication error while talking to an ICAP server, and bypassing on this error is not enabled.
One thing that has been changed since then, is the membership of AD global groups for this user.
When I do a NTLM Authentication test the results are "User groups: 606".
Is it possible that there is a limitation of global groups within the ICAP Proces?
There is not a limit in the number of groups, but in the length a header may have. When the ICAP Client talks to the ICAP Server is sends an X-Authenticated-Groups Header which lists all resolved groups. With 600 groups, this header is most likely too long.
To verify if this is a problem, simply check if you can access with a user that is part of only a handful of groups. If that works, it is likely that you see this issue.
If so, go to Proxies -> HTTP Proxy and increase "Maximum header length".
Thank you for your reply.
I've changed the "Maximum header lenght of 30720 bytes to 60720 bytes"
Now it's working.
What are the consequences with this change?
I think the default of 30720 has a reason?
I agree that the 30720 must have a reason, but actually I am not able to anwer that. For me it looks more like a "we need to set a limit for the length", and something was decided a while ago. While working in support I have spoken to several customers who increased the value without issues.
I cannot think of bad consequences by adjusting this value, at least I have not experienced any so far. I would personally not feel bad when increasing the value. Maybe someone else can add some comments who has similar/different experience.