Secure Mobile Access 12.4 Administration Guide

Resolving Deny Rule Incompatibilities

In a Permit rule, you can safely mix and match resources and access methods. However, Deny rules containing specific combinations of resources and access methods may prevent subsequent rules from being evaluated. This can inadvertently block user access to resources referenced later in your access policy.

During its policy evaluation, the appliance may in some cases be unable to determine whether a Deny rule matches an incoming connection request. As a security precaution, it stops processing your rule set and blocks user access.

If you attempt to define a Deny rule referencing any of the three combinations described in the following table, AMC displays this warning message:

“Some of the resources in this rule are not supported by the selected access method(s), which could inadvertently deny access to some resources.”

The below table lists the rule combinations that trigger the warning.

Rule Incompatibilities
Rule actionResource typeAccess methods
DenyWindows domain
  • Any

  • Connect and OnDemand

  • WorkPlace

  • Any

  • Connect and OnDemand

DenyFile share
  • Any

  • Connect and OnDemand


Suppose you create a Deny rule blocking access to a Windows domain and you leave Access methods set to Any. A Windows domain is accessible from WorkPlace, so when the appliance receives a connection attempt from WorkPlace, it matches the rule and denies access.

However, if the user makes a connection request from Connect or OnDemand, the appliance is unable to determine whether the Windows domain rule matches the request (regardless of which destination resource is requested). The appliance then stops evaluating any further rules in your policy and immediately denies access. If the Windows domain rule is at the top of your access control rule list, it prevents the user from accessing any VPN resources. And if the next rule in the list is a Permit rule allowing the user to access a VPN resource, it is not evaluated.

Resolving the Problem

To resolve rule incompatibilities, modify the rule so it doesn’t reference indeterminate access methods. In the case of a Windows domain or network share, select Network Explorer as the only access method. For a URL, select only Web browser or Connect Tunnel and/or OnDemand Mapped Mode.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.