cancel
Showing results for 
Search instead for 
Did you mean: 
pnaslund
Level 9

Webmail IBM Lotus iNotes and Reverse Proxy

Jump to solution

We are running iNotes webmail and Microsoft ISA Server Reverse Proxy, for a few years now.

I have moved a lot of websites from ISA to MWG, and the Reverse Proxy is functioning well.

When I try to implement iNotes webmail I get the following error, when I click Login:

     HTTP Web Server: Invalid POST Request Exception

How do I troubleshoot?

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Webmail IBM Lotus iNotes and Reverse Proxy

Jump to solution

Hi Peter!

In the MWG, there is a checkbox for "send empty plaintext fragments".

This can be found under Policy > Settings > Engines > SSL Scanner > Enable Content Inspection. Uncheck the box for "send empty plaintext fragments".

If you have forward and reverse proxy using the same "Enable Content Inspection" settings, you should create a separate settings container for reverse proxy.

Best,

Jon

0 Kudos
3 Replies
McAfee Employee

Re: Webmail IBM Lotus iNotes and Reverse Proxy

Jump to solution

Hi Peter!

In the MWG, there is a checkbox for "send empty plaintext fragments".

This can be found under Policy > Settings > Engines > SSL Scanner > Enable Content Inspection. Uncheck the box for "send empty plaintext fragments".

If you have forward and reverse proxy using the same "Enable Content Inspection" settings, you should create a separate settings container for reverse proxy.

Best,

Jon

0 Kudos
msiemens
Level 9

Re: Webmail IBM Lotus iNotes and Reverse Proxy

Jump to solution

This seems to work. Is there any downside to disabling the feature? What does it do?

0 Kudos
McAfee Employee

Re: Webmail IBM Lotus iNotes and Reverse Proxy

Jump to solution

Hi Mike!

This feature is used to protect SSL connections from attacks similar to BEAST. See http://www.h-online.com/security/news/item/First-solutions-for-SSL-TLS-vulnerability-1349813.html

For reverse proxy it's not as important to be enabled because MWG is protecting internal servers and MWG is handling all the SSL anyways.

For forward proxy it *is* important to have enabled. So that MWG will insert the empty plaintext fragments in order to prevent itself from being subject to attacks like BEAST.

If you have a webserver not compatible with this, you can create a separate SSL settings container which doesnt have it enabled. This would be above the last rule in Handle Connect call.

Best,

Jon

0 Kudos