cancel
Showing results for 
Search instead for 
Did you mean: 
ittech
Level 13

HTTPS site with costantly changing IP addresses

The users in our Finance Dept. having recently switched over to Wells Fargo. Their site https://wellsoffice.wellsfargo.com will somtimes display properly and at other times be missing the images from akamai.net (changes from minute to minute). The Wells Fargo site seems to have rotating IP addresses, going through idk how large of a pool, that change about every 30 - 60 seconds. Does the web filter cache the IP address of the site and could this be causing the problem?

Thanks in advance!

0 Kudos
11 Replies
McAfee Employee

Re: HTTPS site with costantly changing IP addresses

In the Web Gateway DNS caching does exist (Configuration > Proxies > DNS Settings). BUT there are a couple things to understand about it.

There is a minimum TTL, and a maximum TTL.

-Minimum TTL is the minimum ammount of time the Web Gateway will allow a DNS entry to be stored in cache.

Example: WG makes DNS request for akaimai.net, DNS server returns response with a TTL of 1 second (meaning dont cache the record).

What WG does: Assuming your minimum TTL is 1 second, it will not cache it. If your minumum TTL is 5 seconds, then the Web Gateway will cache it for 5 seconds.

-Maximum TTL is the maximum ammount of time the Web Gateway will allow a DNS entry to be stored in cache.

Example: WG makes DNS request for mcafee.com, DNS server returns response with a TTL of 4500 seconds.

What WG does, assuming your maximum TTL is 3600 seconds (default), WG would cache it for a maximum of 3600 seconds.

I hope this helps, let me know if further clarification. But essentially yes, DNS cache could be a factor if some of your DNS settings were changed.

~Jon

0 Kudos
ittech
Level 13

Re: HTTPS site with costantly changing IP addresses

I did change my DNS TTL. Set the maximum to 5 seconds.

Message was edited by: ittech on 7/29/11 4:27:51 PM EDT
0 Kudos
ittech
Level 13

Re: HTTPS site with costantly changing IP addresses

Narrowed it down to this.

Here is the Wells Fargo site:


https://wellsoffice.wellsfargo.com/ceoportal/signon/index.jsp?TYPE=33554433&REALMOID=06-3a718f7c-1c9...

When the user's IP is given full access to the internet, it works 100% of the time.

When the URLs are created as exceptions (*.wellsfargo.com*), it only works some of the time.

There are references to their content server at akamai.net. Here's an example:

https://a248.e.akamai.net/6/248/3583/000/wellsoffice.wellsfargo.com/ceoportal/styles/signon.css.jsp

As you can see from the bold, underlined text *.wellsfargo.com* should take care of this as well, but it doesn't. Even when adding *.akamai.net* to the exceptions, the user is blocked sometimes from the content server.

Any thoughts on this?

0 Kudos
McAfee Employee

Re: HTTPS site with costantly changing IP addresses

Well, to assume your entry would match for *.wellsfargo.com* implies that you are using the property "URL" in your rule, if you add *.wellsfargo.com* to a whitelist based on the property of "URL.Host" then no, it would not match. Perhaps check the property used in the rule you are whitelisting it based on.

~Jon

0 Kudos
ittech
Level 13

Re: HTTPS site with costantly changing IP addresses

Correct, I'm only using the "URL" property.

0 Kudos
jont717
Level 12

Re: HTTPS site with costantly changing IP addresses

You will see a lot of issues like this with HTTPS sites.

What usually is happening is that they are coming through as IP addresses and not URLs.

Adding IPs to the rule sets always solves the problem with HTTPS sites, but sites that have many IP addresses, this causes a big issue and is much harder to correct. 

0 Kudos
ittech
Level 13

Re: HTTPS site with costantly changing IP addresses

That does cause a problem. I've requested a list or range of IPs from Wells Fargo and I am waiting for a response. Is there a reason why HTTPS sites come through as IPs instead of URLs?

0 Kudos
McAfee Employee

Re: HTTPS site with costantly changing IP addresses

If you are using the Web Gateway transparently (like WCCP) and NOT using SSL scanning, then the Web Gateway will not see the request (within the SSL tunnel) that the client is making to the server so the Web Gateway will only see the IP to start.

There are options in the Web Gateway to allow for whitelisting/blacklisting based on the host/fqdn in a transparent setup. Some of these whitelisting examples can be found within the default SSL scanner ruleset.

~jon

0 Kudos
ittech
Level 13

Re: HTTPS site with costantly changing IP addresses

I only have the "Set Client Context" Rule enabled. Would enabling the "Verify Common Name" set rectify this?

0 Kudos