4 Replies Latest reply on Oct 8, 2013 12:54 PM by dshock

    Safari User Agent

      All,

       

      I set up a policy to exclude authentication for Safari User Agent, in cluding Macintosh in the wildcard for the User Agent.

       

      No problem with all the HTTP website.

       

      PROBLEM: All the SSL website.

       

      In Firefox for Mac I receive an: ssl_erroc_rx_record_too_long

       

      If I disbale the rule and ask for authentication everything work.

       

      Any hint?

        • 1. Re: Safari User Agent

          The error is with WCCP.

           

          If I point straight to the proxy ip address the safari user agent policy is working fine.

           

          At this point this is only an SSL WCCP issue.

           

          (SSL scanning is disabled so far)

          • 2. Re: Safari User Agent

            Hi -

             

            A couple questions for you:

             

            -Which version of MWG are you using?

            -Explain how you've configured your user-agent rule. (i.e. criteria, action, etc)

             

            Regarding the error you recieve: (just a guess based on the info thus far)

            I typically see the error page you receive "In Firefox for Mac I receive an: ssl_erroc_rx_record_too_long" when Web Gateway sends a block page to an HTTPS request over HTTP. The browser expects an HTTPS response, but Web Gateway sends the block over HTTP. To fix this you must create a rule. This is known as "Setting the client context". You can read more about that topic here.

             

            In short, there is a good chance you're just getting blocked, but because you're not configured to send the block page over HTTPS, your browser cannot understand it. To find out if you're getting blocked:

             

            *In 7.3.2 or greater, rule engine tracing can help. Read more.

            *Access or access denied logs can help. (Troubleshooting > Log Files > User-defined Logs)

            *If it is a block page that is being sent that the client can't load, then you can configure Web Gateway to Set the client context so that Web Gateway sends the block page over HTTPS.

            • 3. Re: Safari User Agent

              Thanks for your reply.

               

              Webgateway is configured in WCCP  and SSL scanning is disabled on it. We are using the latest 7.3 version

               

              I set already the client context rule and I solved the issue with the SSL not working (it was not a user agent issue), but randomly I ave a sort of HTTPS timeout issue around.

               

              What I mean is that if a user leave the browser open on an HTTPS page like google.com (it can be minutes or hours, we cannot count) the session then expires and the only way is to close the browser and reopen it. If you try to browse from the same browser page to another ssl page the message is "Internet explorer cannot find the page". It looks like you are disconnected from internet.

               

              Then if you browse to an http website it works and if you try to re-access an ssl website from the same browser session after you browse to an http website it works either.

               

              Thanks again

              • 4. Re: Safari User Agent

                Hi Matteo --

                 

                The details you give seem to indicate the problem is related to the authenticating with the authentication server and when going to an HTTPS site.

                 

                When your authentication "Session TTL" expires, your client's next request is subjected to be redirected to the authentication server for authentication. The Set client context rule should allow for the Web Gateway to send a redirect message to the client over HTTPS, but this seems to fail for you.

                 

                I wasn't able to reproduce the problem you mention. I tested with the following rules enabled:

                 

                -The Set client context rule (used default one that comes with rule set library)

                 

                -Authserver (Time/IP based session) rules from the Rule Set library.

                 

                It would beneficial to see how you have your rules configured. Could you take a screenshot of the criteria on the rules for both the authserver and set client context rules.

                 

                Additionally, our support team would be able to help out with this in short order if we had your full configuration and you opened a case.

                 

                on 10/8/13 12:54:33 PM CDT