No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.

Knowledge Base

Access control is disabled because SACG configure wrong “right-manager server-group active-num” on Secospace TSM

Publication Date:  2012-09-12  |   Views:  893  |   Downloads:  0  |   Author:  l00227919  |   Document ID:  EKB1000014545


Issue Description

An office finishes installation of Secospace TSM, and does the test. Find that client can access to post-authentication domain whether it is authenticated or not authenticated. The access control is disabled.

Alarm Information


Handling Process

1. Checked the status of server by using command “display right-manager server-group”, the result is active. So the cooperation is successful.
2. Checked the configuration, ACL 3099 applied in domain.
3. Checked the dialog table, and found that data go through SACG.
4. Used command “display acl 3099”, and found emergency channel is open. Checked again and found “right-manager server-group active-num 2”, but user had 1 PC, delete this setting, and problem is solved.

Root Cause

1. Failed to cooperation with SACG
2. In post-authentication domain, ACL 3099 didn’t apply.
3. Policy routing is disabled, so user data didn’t go through SACG.


Command “right-manager server-group active-num” is the minimum number of TSM server which connected with USG. When active server is less than this number, SACG would open emergency channel.