Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1227 Views 11 Replies Latest reply: Jul 16, 2013 9:49 AM by Jon Scholten RSS 1 2 Previous Next
willetzky Newcomer 8 posts since
Jul 11, 2013
Currently Being Moderated

Jul 11, 2013 5:12 AM

HTTPs pages

We have our Mcafee web gateway appliacnces (7.3.2.1.0) setup for WCCP and they ware working fine for all http traffic but for pages over ssl we get page cannot be displayed or page interupted. When i try to use openssl through the gateway we get the following error for all sites

 

4304:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:

 

This looks like th gateway is not replying to the SSL connection form the cleint. I have looked at the tcpdump traces for GRE packets and we get a RST for IE or FIN for Firefox cleints

 

firefox.PNG

IE.PNG

 

We have the SSL scanner turned on and if we use the box as a direct proxy it all works fine and the SSL scanner is working as it should.

  • jschnell Newcomer 26 posts since
    Jan 21, 2011
    Currently Being Moderated
    1. Jul 11, 2013 5:39 AM (in response to willetzky)
    Re: HTTPs pages

    Hi,

     

    can you make connection traces and show them here? The files should be named like HTTP-<number>-C.txt and HTTP-<same number>-S.txt.

     

    Thanks

    Jan

  • jschnell Newcomer 26 posts since
    Jan 21, 2011
    Currently Being Moderated
    3. Jul 11, 2013 5:52 AM (in response to willetzky)
    Re: HTTPs pages

    Hi,

     

    it seems that the proxy wants to speak HTTP instead of HTTPS on that port! Do you have configured a different listener port for HTTP and HTTPS?

     

     

    Bye

    Jan

  • jschnell Newcomer 26 posts since
    Jan 21, 2011
    Currently Being Moderated
    5. Jul 11, 2013 6:17 AM (in response to willetzky)
    Re: HTTPs pages

    Hi,

     

    seems to be correct. As you do not have provided the HTTP-<number>-S.txt I assume that it will not be written, correct?

     

    I recognized that the browser does not seem to send an SNI header. Can you verify on a client computer that will be redirected via WCCP if it works if the SNI is there?

     

     

    openssl s_client -connect web.de:443 -servername web.de

     

    Thanks

    Jan

  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009
    Currently Being Moderated
    7. Jul 11, 2013 10:24 AM (in response to willetzky)
    Re: HTTPs pages

    You havent by chance been flipping between transparent router mode and WCCP? If so you will need to reboot as there are some kernel modules loaded when you go into transparent router mode.

     

    Best,

    jon

  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009
    Currently Being Moderated
    9. Jul 12, 2013 9:54 AM (in response to willetzky)
    Re: HTTPs pages

    Hi Gareth,

     

    This doesnt make sense with your description of the initial issue. The original problem you brought up, was that the MWG wasnt working for HTTPS at all. What happens if you disable all the rules? Does it work then?

     

    Please try this so we can help you better:

    Disable all the rules or put a stop cycle rule in for your IP address at the top of the rules, if HTTPS pages still dont load then I beleive you need to restart the appliance.

    If HTTPS pages start loading, does disabling authentication server cause things to load properly?

     

    Best,
    Jon

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points