cancel
Showing results for 
Search instead for 
Did you mean: 
imtrying
Level 10

How Do I Troubleshoot SSL Scanning Failure

We tried to implement SSL Scanner on the test box today.  All went OK.  I was able to create the Cert and import it in to IE and all was working fine.  This AM we tried to run Microsoft Lync via SSL and could not get a connection to the server.  We did not receive any errors from the MWG.

Is there a way I can see what was failing to help resolve the issue?  If so where would I find the error.

When I go to a web site and it fails I have written the notice to return the rule that it fails on, but I cannot do that with this application.

Thanks 

0 Kudos
7 Replies
McAfee Employee

Re: How Do I Troubleshoot SSL Scanning Failure

From what I know about Microsoft Lync, it uses the SIP protocol. MWG is not a SIP proxy so you will most likley want this traffic to be tunneled (not SSL scanned).

Does it work without SSL scanning on?

~Jon

0 Kudos
imtrying
Level 10

Re: How Do I Troubleshoot SSL Scanning Failure

It does not work when I turn on the SSL scanner.  Lync tries to fire off a https web site then starts the client.   I cannot see at what part of the rule set that is causing the failure.

Thanks

0 Kudos
McAfee Employee

Re: How Do I Troubleshoot SSL Scanning Failure

It's most likley the content inspection, when Web Gateway opens up the SSL traffic from the Lync client, it sees that it is some protocol it doesnt recognize, therefore it stops processing it.

If you wanted you could run rule engine trace to look at it further.

Please see link below for a troubleshooting ruleset, you will need to download, extract, and import it using the ruleset library (Policy > Rule Sets > Add > Rule Set from Library... > Import from File).

ftp://ftp.support.securecomputing.com/outgoing/troubleshooting.zip

-Please place this ruleset at the top of your ruleset.

-Add your client IP to the "Rule Engine Tracing List".

-Enable the rule (Enable Rule Engine Tracing for IPs in Rule Engine Tracing List).

-Reproduce the issue.

-Disable the rule (Enable Rule Engine Tracing for IPs in Rule Engine Tracing List).

-You can then find the rule traces under Troubleshooting > Rule Tracing.

~Jon

0 Kudos
imtrying
Level 10

Re: How Do I Troubleshoot SSL Scanning Failure

Jon:

Thanks it created the .xml files,  Now I have a dumb question, How do I view them and use the information.  When I use the view button in the GUI all that gets returned is the code?

- <node string="Request" duration="0" enterTime="1333374463.527" node_type="cycle">

- <node string="Common Rules" duration="0" enterTime="1333374463.527" node_type="rulegroup">

- <node string="Troubleshooting" duration="0" enterTime="1333374463.527"

0 Kudos
McAfee Employee

Re: How Do I Troubleshoot SSL Scanning Failure

I dont expect you to be able to interpret what is in the rule trace. What is the URL that appears at the top of the rule trace?

<trace_info url="https://www.mcafee.com"/>

I will be publishing a primer on looking at rule traces for basic tasks, for this situation, I just want to know the URL (which includes the protocol etc..).

~jon

0 Kudos
imtrying
Level 10

Re: How Do I Troubleshoot SSL Scanning Failure

trace_info url="https://access01.ks.gov" />

0 Kudos
McAfee Employee

Re: How Do I Troubleshoot SSL Scanning Failure

Is that it? If so, you should just bypass that from SSL scanning? Have you tried bypassing that from the SSL scanner?

I was thinking there would be something like:

sip://IP-address

Did you only have one file?

~jon

0 Kudos