Have you done any troubleshooting by doing a policy trace on that user login? Source IP at the realm or role level is something that is checked when a user logs in. You said that you use source IP at the role level. So as an example - if you had a "deny" and did a policy trace you would see the user restricted when the logged in.

Is there anything in the event or user log files. I am assuming that if you turn "off" source IP the user logs in and then can access the page just fine? That behavior is strange as source IP should not affect an individual bookmark access.

Have you done any troubleshooting by doing a policy trace on that user login? Source IP at the realm or role level is something that is checked when a user logs in.

I have done a "User Access Log". I can login fine. But when I click on the link, I receive the message, "This page cannot be displayed". Nothing is shown in the log. Correct me if I am wrong, but Source IP address is at role level, it can't be define at realm level. I use several roles for one realm, each with the same Source IP address.

You said that you use source IP at the role level. So as an example - if you had a "deny" and did a policy trace you would see the user restricted when the logged in.

I don't see anything of a deny in the log file, that is the strange part.

Is there anything in the event or user log files. I am assuming that if you turn "off" source IP the user logs in and then can access the page just fine? That behavior is strange as source IP should not affect an individual bookmark access.

When I turn off the source IP, I still have the same problem.

What I found strange is that I don't see any logging in the firewall. I have a bookmark to outlook web access. To reach this bookmark, it needs to pass the firewall whith as source the Internal Source IP and as destination the server of Outlook Web Access. But I don't see any logging...

Ruud -

Kevin is recommending that you do a policy trace. This is found under Troubleshooting - User Sessions - Policy Tracing. Turn on checking for web access, for the user ID you will test with and the realm it logs into.

Run your test, and then come back to the Policy Tracing screen and view the log. You'll be able to see if the access passed your web policies.

Ken

I found the solution thanks to your help.

I've done a "Policy Tracing". There I saw that "Selective Rewriting" was used. The strange thing is, that only one "Selective Rewriting" policy was defined and it was not assigned to the role for owa. But somehow the OWA role used it, even it was not assigned to it.

Nevertheless, I've made a new policy for "Selective Rewriting" and assigned it to the role. Afterwards it worked like it should!

Thanks for the tips and the help. I learned a lot troubleshooting this problem !

Ruud.