Failed to access the TCP/UDP service via web portal protocol

Document ID : KB000015520
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

The Access list can be obtained by initially running the CA PAM Browser without a list, then examining the session logs for each access attempt that was blocked. An example of the log entry for blocked access is the following:

Message 19015: CA PAM denied web portal AWS Management Console SSO's connection to the host amazonwebservices.d2.sc.omtrdc.net because it does not match an entry in the web portal's access list.

 

Each host (in the above example, "amazonwebservices.d2.sc.omtrdc.net") that you want to allow access to should be included in the Access List field, one line per host. Exclude any hosts that pose security risks.

 

Alternatively, all hosts...

  • for a particular domain may be permitted by entering an asterisk and the domain: *.example.com
  • for all domains may be permitted by entering just an asterisk

NOTE: This is not a secure solution, but permits rapid activation of a web portal.

Question:

TCP/UDP service via web portal protocol is created.

 

User is able to access the web application if the policy is defined with individual user against device or device group. However, the web access is stuck at "Please wait, logging in..." if the policy is defined with user group against device or device group.

Answer:

The following error is logged in the session log, corresponding to the failed attempt: 
"Message 19015: Xsuite denied web portal Web Fortinet's connection to host xx.xx.xx.xx because it does not match an entry in the web portal's access list."

 

The access list in TCP/UDP service is empty (by default). As long as the policy is defined with individual user, the access is allowed with empty access list but PAM mandates the access list when user group is associated with the policy.

 For best practice, please specify the IP address or FQDN of the sites which PAM need access in order to render the Web Portal pages properly, regardless how you defined the policy.