cancel
Showing results for 
Search instead for 
Did you mean: 
satbir
Level 7

mwg 7.2 URL redirect issue

Jump to solution

Hi,

Today i disabled SSL scanner and my URL redirect is not workign on HTTPS websites. It's working fine with HTTP websites though. Is SSL decryption important to redirect HTTPS websites? I have also tried to block HTTPS websites with criteria URL = https://www.youtube.com/ but it doesn't block when SSL scanner rule is disabled.

Example of redirect:

criteria:

URL equals http://youtube.com/

or URL equals https://youtube.com/

Action: redirect to http://youtube.com/abcd

when SSL scanner it enabled the rule works fine butwhen i disable it redirection does not work for https://youtube.com/

MWG version is 7.2 build 13253

I use this redirect to move users to my company's youtube channel and then i have added youtube uploader rule from ruleset library to allow only authorized uploader of my youtube channel.

Regards,

Satbir

0 Kudos
1 Solution

Accepted Solutions
asabban
Level 17

Re: mwg 7.2 URL redirect issue

Jump to solution

Hi Satbir,

I believe you will need at least the "Set Client Context" rule. I believe you are in a transparent environment, am I right?

The problem here is that the client wants to setup an SSL connection with the remote server, so it starts the SSL handshake. MWG accepts this. Without SSL Scanner MWG does not have a certificate that it can present to the client, so it sends the 302 as a response to the clients attempt to setup an SSL connection. Clients will reply with a "page cannot be displayed" or "proxy sent a malformed response" messages, when they receive a plain-text response while trying to setup a secure connection.

With SSL Scanner enabled MWG will send a server certificate signed by the root CA that is set in the "Enable Client Context" event to the browser. Now there is an SSL connection setup and MWG can send a 302 response within the SSL tunnel.

You will not be able to modify SSL websites without SSL Scanner (that´s what SSL has been made for!).

I hope this makes sense.

Best,

Andre

0 Kudos
7 Replies
asabban
Level 17

Re: mwg 7.2 URL redirect issue

Jump to solution

When you access the HTTPS site, what does the access.log show?

Best,

Andre

0 Kudos
satbir
Level 7

Re: mwg 7.2 URL redirect issue

Jump to solution

"CONNECT www.youtube.com:443 HTTP/1.1" when SSL is disabled

"GET http://www.youtube.com/abcd HTTP/1.1" when SSL is enabled.

I have tested using URL equals www.youtube.com:443  .....did not work

URL.host matches www.youtrube.com AND URL.port equal 443 .....did not work

Regards,

Satbir

0 Kudos
McAfee Employee

Re: mwg 7.2 URL redirect issue

Jump to solution

You cannot perform a redirect away from an HTTPS site if the SSL scanner is not enabled. The browser will not like it, you will most likley receive a page cannot be displayed or some other error.

~jon

0 Kudos
satbir
Level 7

Re: mwg 7.2 URL redirect issue

Jump to solution

Thanks for the reply Jon... I am getting page cannot be displayed error.... so that means if i want to either redirect to block HTTPS websites i must enable SSL Scanner.

What SSL Scanner rule does to request/response for browsers to accepts the responses.

Regards,

Satbir

0 Kudos
asabban
Level 17

Re: mwg 7.2 URL redirect issue

Jump to solution

Hi Satbir,

I believe you will need at least the "Set Client Context" rule. I believe you are in a transparent environment, am I right?

The problem here is that the client wants to setup an SSL connection with the remote server, so it starts the SSL handshake. MWG accepts this. Without SSL Scanner MWG does not have a certificate that it can present to the client, so it sends the 302 as a response to the clients attempt to setup an SSL connection. Clients will reply with a "page cannot be displayed" or "proxy sent a malformed response" messages, when they receive a plain-text response while trying to setup a secure connection.

With SSL Scanner enabled MWG will send a server certificate signed by the root CA that is set in the "Enable Client Context" event to the browser. Now there is an SSL connection setup and MWG can send a 302 response within the SSL tunnel.

You will not be able to modify SSL websites without SSL Scanner (that´s what SSL has been made for!).

I hope this makes sense.

Best,

Andre

0 Kudos
satbir
Level 7

Re: mwg 7.2 URL redirect issue

Jump to solution

Thanks Andre! that explains everything!

WIth Rule Enable Client Context the website redirects.

Regards,
Satbir

0 Kudos
asabban
Level 17

Re: mwg 7.2 URL redirect issue

Jump to solution

Great. Thanks for letting us know :-)

Best,

Andre

0 Kudos