Hi Knights
I'm seeing an issue with ASG policy that I haven't come across before.
This is an explicit proxy deployment with IWA authentication, category/site based exceptions. We see that when any policy is saved, any users with active intercepted HTTPS connections are presented with browser authentication popups. Policy traces show that despite the connection being authenticated at the CONNECT command, and intercepted requests prior to the policy update being processed against the authenticated user, following the policy update the requests fail due to authentication required. The proxy does its best to authenticate by sending a HTTP status 401 (can't do a 407 proxy auth within an existing HTTPS tunnel). We can prevent the auth popups with some policy to say "do not authenticate SSL proxy requests", but then we need to blow a hole in our policy as we can not have any user based rules applied to HTTPS traffic.
What makes this environment a bit unusual is that we use multi-tenant policy with 'global' and per-tenant policy, maybe that triggers the behaviour.
But, just wanted to know if any other Knights had seen this sort of behaviour before?
thanks!
Simon