Jul 3, 2013 9:37 PM
I have a transparent deployement. I have IP spoofing enabled for HTTP and HTTPS. when IP spoofing is enabled I'm not able to load a single HTTPS site and they give the following error.
The funny thing is when i disable IP spoofing the sites seem to load perfectly. I need the device between the MWG and the internet to see the client IP since sites are blocked by the firewall in front of the MWG. does anyone know why this happens? I'am using most of the default settings.
Thanks in advance.
Perhaps the firewall does not allow the client IP our on port 443, which is why it fails. When IP spoofing is off, the Firewall sees the traffic as the MWG and allows it.
nope the firewall allows everything haven't blocked anything. the above error page come only when an http error is thrown back. that is according to the TAC. but the thing is there is no rules or any firewall restrictions for the site to be blocked. that is what puzzles me.
The SR is 3-3166357353. The SR was opened to know if I can selectively bypass HTTPS sites from been intercepted (i.e.only use the MWG signed cirtificate for say gmail facebook and let the other sites use their own cirtificates). it seems as if this isn't possible.
anyways at the end the end i just poped the question i have started this forum on and didn't get an explanation on that either .
the error message posted above indicates the the client wants HTTPS content, but MWG responds with a plain HTTP response because SSL Scanner is turned off. Even if you do not want to use SSL Scanner to inspect traffic I recommend to alway call an "Set Client Context" action, as this will give MWG a certificate which it can use to provide a correct answer.
- Client requests "https://www.my-forbidden-url.com".
- MWG sends the URL against URL Filter Database and detects the page should be blocked
- There is no client context, so
- MWG cannot return an error page, because it cannot speak HTTPS to the client
- Therefore it sends a plain HTTP response
- This is not accepted by browsers and will lead to "Page cannot be displayed" or the Firefox error you indicated above.
If you had an "Enable Client Context" action but do not inspect SSL traffic MWG will ONLY use its own certificate for block pages - very helpful when something does not work. In this case you can see why MWG has not made a connection to the website... could be blocked by any filter or even show a "Bad Gateway" or similar response indicating that MWG is not able to talk to the remote website.
The funny thing is I have the same identical setup at 2 places. and only one setup gives the error. other seems to work perfectly. that is what puzzles me.
If this is working at one environment and fails in the other I recommend checking what happens in a rule engine trace and compare. Probably some property is called on one server and not on the other, probably another property is filled with a different value causing other rules to hit. So even if you have two locations and both share the same policy the results could be different :-)
Thank you for the upadate is there away to read the thing some tool sort of thing cos all i see is the xml file which is kind a pain . i wouldn't mind if it was some plain text without all the markers and stuff
the MWG Controlled Release (7.3.x) has a visual rule tracing feature. It also has an import feature... you could install a 7.3 somewhere on a VM and use it as a "Rule Trace Reader" until you upgraded to the latest version. Apart from that there is no external tool :-(