ProxySG & Advanced Secure Gateway

 

Hi,

I have to access the webpage "https://emea1.login.cp.thomsonreuters.net" over a ASG.

This connection is timing out in the browser.
In the policy trace I found the http error 503.

In the Proxy ASG overview page there are some counters like Files Blocked, Websites Blocked.
The Files Blocked counter is increasing every time I want to enter the webpage.
In the Websites/Domains blocked circle I see ecactly that this webpage is getting blocked and the counter there is also increasing.

How/where can I configure that the ASG is no longer blocking this webpage?

Thanks & regards
Patryk

Hi, If you want asg no longer block this website bypass from SSL interception, authentication and icap service too and allow that url.

Hi, If you want asg no longer block this website bypass from SSL interception, authentication and icap service too and allow that url.

Hi,

thanks for your answer.
I tried the suggestion from you, but it didn´t help.
Also tried to set the default policy on allow.

I´m curious if this is a problem of the ruleset?
Because in the logs I can see that the policy is allowing this URL.
But in the Dashboard I can still see that the ASG is blocking this URL.

Is there some additional ruleset only for the ASG?

By the way, the Antivirus of the ASG is dissabled.

Regards
Patryk

Hi,

 

If you are using ASG then you need to enable ASnti-Virus Scanning on device in Threat Protection Option inn ASG.

 

If possible can you share scresnhot and policy trace.

Hi,

If you are using ASG then you need to enable Anti-Virus Scanning on device in Threat Protection Option in ASG.

If possible can you share scresnhot and policy trace.

Hi,

I have tested it today with activated malware scanning (I hoppe this is the right one), but it also didn´t helped.

Short version of the policy trace:
start transaction -------------------
transaction ID=5208439 type=http.proxy

        <Proxy>
 MATCH:         ALLOW client.protocol=http condition=__CondList1Safe_Ports

        <Proxy>
 MATCH:         ALLOW condition=!"Platinum policy"

connection: service.name=Explicit HTTP client.address=10.*.*.* proxy.port=8080 client.interface=255:255.1 routing-domain=default
  location-id=0 access_type=unknown
time: 2018-12-04 13:27:08 UTC
CONNECT tcp://emea1.login.cp.thomsonreuters.net:443/
  DNS lookup was unrestricted
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
user: unauthenticated
authentication status='not_attempted' authorization status='not_attempted'
EXCEPTION(tcp_error): Request could not be handled
  url.category: none@Policy;HVB_whitelist_dst@Local;none@IWF;Business/Economy@Blue Coat;Financial Services@Blue Coat
    total categorization time: 0
    static categorization time: 0
server.response.code: 0
client.response.code: 503
application.name: none
application.operation: none
DSCP client outbound: 65
DSCP server outbound: 65

Transaction timing: total-transaction-time 75081 ms
  Checkpoint timings:
    new-connection: start 1 elapsed 0 ms
    client-in: start 3 elapsed 0 ms
    server-out: start 3 elapsed 116 ms
    client-out-terminated: start 75081 elapsed 0 ms
    access-logging: start 75081 elapsed 0 ms
    stop-transaction: start 75081 elapsed 0 ms
    Total Policy evaluation time: 116 ms
  url_categorization complete time: 3
  client connection: first-response-byte 0 last-response-byte 75081
stop transaction --------------------

 

Attached a screenshot from the ASG dashboard where I can see that the "Websites Blocked" and "Files Blocked" counter increases when I enter the URL.
Also in the "Websites / Domains Blocked" circle, the website is listed in red.

 

Regards
Patryk

Hi,

In policy Trace in can see TCP_Error. It can be issue we upstream device too.

EXCEPTION(tcp_error): Request could not be handled.

Can you share PCAP from proxy with below filter

host thomsonreuters.net 

Also add this policy and test:
<proxy>
url.domain=thomsonreuters.net authenticate (no) detect_protocol (no) response.icap.service (no) ALLOW
 

 

BR

Aboonaim

----------

If you are satisfied with an answer, please click "Accept Solution"

Hi Patryk,

 

                   The policy trace checkpoint timings don’t have a server-in timing which says that the server response was not seen by the proxy. Also the “client-out-terminated: start 75081 elapsed 0 ms” is showing exact 75 seconds which is the TCP handshake timeout. From what I can see in this trace, ASG is sending SYN to the server but no response. You may want to confirm this with a packet capture

Hi Patryk

Are you having a problem accessing the page itself, or are you having issues logging in/using the site once logged in?

I highly doubt that you are having issue connecting to the server itself and are more likley experiencing problems further up the stack.

One area you could look at is the SSL settings on your ASG device. I don know if you have this configured as standard or if you have amended the Cipher Suites but it appears that the site you are connecting to makes use of obsolete ciphers (according to Chrome):

Connection - obsolete connection settings
The connection to this site uses TLS 1.2 (a strong protocol), RSA (an obsolete key exchange), and AES_128_CBC with HMAC-SHA1 (an obsolete cipher). 

I would propose you take a look at your configured cipher suites to ensure there is some form of overlap that allows the ASG to communicate with the Origin Content Server. 

As Aravind quite rightly pointed out, now is probably a good time to do a packet capture to verify a full TCP handshake is happening at the very least. A PCAP would also highlight any issues negotiating SSL.

Sean

Hi all,

I found the issue on an internal DNS server.
The DNS server send a wrong IP address to the BC, therefore the BC never recieved an answer.
So the BC never blocked the site.

Thank you all for your help.

Regards
Patryk