I'm trying to tidy up our cache hierarchy, which is all BM3.8-based. At
the moment, we have the parent BM CERN server with access rules which
whitelist certain sites - everything else is blocked by default. The
rule is therefore

Source: All
Destination: <list of URLs>

I want to allow certain staff access to all websites, so at the top of
the list I've added:

Source: <eDir group of users>
Destination: <All>

This works fine if the users are using the parent BM server. However,
any of the unrestricted users using the client cache servers (CERN
clients) still get a 403 forbidden.

I've enabled Access Rules on each client server (previously disabled)
and added in an "allow all" rule, but it still makes no difference.
Looking in the parent servers logs, I can't even see the HTTP request.

Any advice?