Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1577 Views 18 Replies Latest reply: Jul 25, 2013 9:06 PM by rukmalf RSS 1 2 Previous Next
rukmalf Apprentice 64 posts since
Jun 11, 2013
Currently Being Moderated

Jul 3, 2013 9:37 PM

HTTPS Sites Doesn't Load Even With SSL Scanner Dissabled

Hi,

 

I have a transparent deployement. I have IP spoofing enabled for HTTP and HTTPS. when IP spoofing is enabled I'm not able to load a single HTTPS site and they give the following error.

10.PNG

The funny thing is when i disable IP spoofing the sites seem to load perfectly. I need the device between the MWG and the internet to see the client IP since sites are blocked by the firewall in front of the MWG. does anyone know why this happens? I'am using most of the default settings.

 

Thanks in advance.

 

Regards,
Rukmal Fernando.



Regards
Rukmal
  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009

    Perhaps the firewall does not allow the client IP our on port 443, which is why it fails. When IP spoofing is off, the Firewall sees the traffic as the MWG and allows it.

     

    Best,

    Jon

  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009

    Whats the SR?

  • asabban McAfee SME 1,354 posts since
    Nov 3, 2009

    Hello,

     

    the error message posted above indicates the the client wants HTTPS content, but MWG responds with a plain HTTP response because SSL Scanner is turned off. Even if you do not want to use SSL Scanner to inspect traffic I recommend to alway call an "Set Client Context" action, as this will give MWG a certificate which it can use to provide a correct answer.

     

    Example:

     

    - Client requests "https://www.my-forbidden-url.com".

    - MWG sends the URL against URL Filter Database and detects the page should be blocked

    - There is no client context, so

     

    - MWG cannot return an error page, because it cannot speak HTTPS to the client

    - Therefore it sends a plain HTTP response

     

    - This is not accepted by browsers and will lead to "Page cannot be displayed" or the Firefox error you indicated above.

     

    If you had an "Enable Client Context" action but do not inspect SSL traffic MWG will ONLY use its own certificate for block pages - very helpful when something does not work. In this case you can see why MWG has not made a connection to the website... could be blocked by any filter or even show a "Bad Gateway" or similar response indicating that MWG is not able to talk to the remote website.

     

    Best,

    Andre

  • asabban McAfee SME 1,354 posts since
    Nov 3, 2009

    If this is working at one environment and fails in the other I recommend checking what happens in a rule engine trace and compare. Probably some property is called on one server and not on the other, probably another property is filled with a different value causing other rules to hit. So even if you have two locations and both share the same policy the results could be different :-)

     

    Best,

    Andre

  • asabban McAfee SME 1,354 posts since
    Nov 3, 2009

    Hello,

     

    the MWG Controlled Release (7.3.x) has a visual rule tracing feature. It also has an import feature... you could install a 7.3 somewhere on a VM and use it as a "Rule Trace Reader" until you upgraded to the latest version. Apart from that there is no external tool :-(

     

    Best,

    Andre

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points