Lindows
asked on
Bluecoast proxy https site takes a long time to load
Hello
I'm using Bluecoat proxy
Software Version: SGOS 5.3.1.9 Proxy Edition
Model: 210-10
When going through bluecoat proxy, this particular SSL site takes forever to load (10-15 minutes) whereas other https sites load just fine. When not going through bluecoat proxy, that particular site loads fine.
The site is: https://tms-tps-1.c3pki.nit.disa.mil:443/cgi-bin/home/index.cgi
Any suggestions? I didn't see any errors in the log.
Below are my current settings:
Network > DNS > Imputing > added nit.disa.mil
Forwarding > Forwarding Hosts >
alias: tms-tps-1.c3pki
Host: 198.154.68.140
Type: server
Ports: HTTPS 443
Verify SSL Certificate: unchecked
Proxy Settings > SSL Proxy:
Issuer keyring: default
CCL for Client Certificates: <All CA Certificates>
CCL for Server Certificates: browser-trusted
Policy > Policy Files >
View File > Current Policy:
; Installed Policy -- compiled at: Sun, 14 Nov 2010 01:55:08 UTC
; Default proxy policy is ALLOW
I'm using Bluecoat proxy
Software Version: SGOS 5.3.1.9 Proxy Edition
Model: 210-10
When going through bluecoat proxy, this particular SSL site takes forever to load (10-15 minutes) whereas other https sites load just fine. When not going through bluecoat proxy, that particular site loads fine.
The site is: https://tms-tps-1.c3pki.nit.disa.mil:443/cgi-bin/home/index.cgi
Any suggestions? I didn't see any errors in the log.
Below are my current settings:
Network > DNS > Imputing > added nit.disa.mil
Forwarding > Forwarding Hosts >
alias: tms-tps-1.c3pki
Host: 198.154.68.140
Type: server
Ports: HTTPS 443
Verify SSL Certificate: unchecked
Proxy Settings > SSL Proxy:
Issuer keyring: default
CCL for Client Certificates: <All CA Certificates>
CCL for Server Certificates: browser-trusted
Policy > Policy Files >
View File > Current Policy:
; Installed Policy -- compiled at: Sun, 14 Nov 2010 01:55:08 UTC
; Default proxy policy is ALLOW
That site brings up an "Untrusted Connection" warning when I click on your link. Is that the 'proxy' URL? If so, what it the original URL?
If it's 'nit.disa.mil', Firefox says it can't be found.
I had an issue like this.Create a rule in a SSL access layer :
Source "Any"-->destination"yoursi te"-->Serv ice "Any" --> Action" disable certificate validation +disable client certificate validation"
This rule will disable the destination server certificate expiration check for example
If that does not solve the problem, add in SSL Intercept Layer the following rule :
Source"Any"-->Destination" yoursite"- ->Service "Any" --> Action "Disable SSL interception"
This rule will leave the original certificate alone without BC playing the role "man in the middle"
Source "Any"-->destination"yoursi
This rule will disable the destination server certificate expiration check for example
If that does not solve the problem, add in SSL Intercept Layer the following rule :
Source"Any"-->Destination"
This rule will leave the original certificate alone without BC playing the role "man in the middle"
ASKER
Hello guys,
Dave,
it's the actual url = https://tms-tps-1.c3pki.nit.disa.mil:443/cgi-bin/home/index.cgi
Ellush:
I've tried adding the SSL access layer but it failed when trying the install the policy.
Policy > Visual Policy Manager > Launch > Policy > add access layer:
Source: any
Destination: Server URL: tms-tps-1.c3pki.nit.disa.m il
(also tried Request URL: tms-tps-1.c3pki.nit.disa.m il,
Destination: tms-tps-1.c3pki.nit.disa.m il:80-443( contains))
Action: Do not require client certificate
When I clicked on install policy, it errored out with:
Policy installation
Compiling new configuration file: Inline configuration
Sun, 14 Nov 2010 22:11:47 UTC
Error: Late condition 'url.domain=//tms-tps-1.c3 pki.nit.di sa.mil/' guards early action: 'client.certificate.requir e(no)'
cpl.vpm:13: url.domain="tms-tps-1.c3pk i.nit.disa .mil" client.certificate.require (no) trace.request(yes) trace.rules(all) ; Rule 1
There was 1 error and 0 warnings
Any ideas?
Dave,
it's the actual url = https://tms-tps-1.c3pki.nit.disa.mil:443/cgi-bin/home/index.cgi
Ellush:
I've tried adding the SSL access layer but it failed when trying the install the policy.
Policy > Visual Policy Manager > Launch > Policy > add access layer:
Source: any
Destination: Server URL: tms-tps-1.c3pki.nit.disa.m
(also tried Request URL: tms-tps-1.c3pki.nit.disa.m
Destination: tms-tps-1.c3pki.nit.disa.m
Action: Do not require client certificate
When I clicked on install policy, it errored out with:
Policy installation
Compiling new configuration file: Inline configuration
Sun, 14 Nov 2010 22:11:47 UTC
Error: Late condition 'url.domain=//tms-tps-1.c3
cpl.vpm:13: url.domain="tms-tps-1.c3pk
There was 1 error and 0 warnings
Any ideas?
Your version is almost as mine: you should have the same objects as I mentioned:
"disable certificate validation" and "disable client certificate validation"
These are not the same as you used: "Action: Do not require client certificate"
Also, try to change the destination object to :
"Request URL" type is good, use advanced part (pic 1)
Try to install again - order of the layers is important too - as I understand you did not have a SSL access layer at all ?
1.png
"disable certificate validation" and "disable client certificate validation"
These are not the same as you used: "Action: Do not require client certificate"
Also, try to change the destination object to :
"Request URL" type is good, use advanced part (pic 1)
Try to install again - order of the layers is important too - as I understand you did not have a SSL access layer at all ?
1.png
ASKER
Ok, I was able to create a rule with "disable certificate validation" and "disable client certificate validation" objects howerver, I'm not able to install the policy.
Here are my steps:
Action:
Set > New > Client Certificate Validation > selected "Disable client certificate validation"
Set > New > Server Server Validation > selected "Disable Server certificate validation"
Set > New > Combined Action object > added the above two objects and applied this combined object for the Action.
Error Window says:
Messages:
Policy installation
Compiling new configuration file: Inline configuration
Mon, 15 Nov 2010 06:16:08 UTC
Error: Late condition 'url.host.substring=tms-tp s-1.c3pki. nit.disa.m il' guards early action: 'client.certificate.valida te(no)'
There was 1 error and 0 warnings
Condition Definitions:
define condition "tms-tps-1.c3pki.nit.disa. mil-Reques t URL"
url.host.substring="tms-tp s-1.c3pki. nit.disa.m il"
end condition "tms-tps-1.c3pki.nit.disa. mil-Reques t URL"
CPL:
;; Tab: [SSL Access Layer (1)]
<SSL>
condition="tms-tps-1.c3pki .nit.disa. mil-Reques t URL" client.certificate.validat e(no) server.certificate.validat e(no) ; Rule 1
tps.png
Here are my steps:
Action:
Set > New > Client Certificate Validation > selected "Disable client certificate validation"
Set > New > Server Server Validation > selected "Disable Server certificate validation"
Set > New > Combined Action object > added the above two objects and applied this combined object for the Action.
Error Window says:
Messages:
Policy installation
Compiling new configuration file: Inline configuration
Mon, 15 Nov 2010 06:16:08 UTC
Error: Late condition 'url.host.substring=tms-tp
There was 1 error and 0 warnings
Condition Definitions:
define condition "tms-tps-1.c3pki.nit.disa.
url.host.substring="tms-tp
end condition "tms-tps-1.c3pki.nit.disa.
CPL:
;; Tab: [SSL Access Layer (1)]
<SSL>
condition="tms-tps-1.c3pki
tps.png
Lets try to disable validation globally
Change destination to "Any" and try to install
Change destination to "Any" and try to install
Also I would try to disable IPV6 Lookups:
Open ProxySG GUI -->Configuration-->Policy- ->Policy Files-->PolicyFiles Tab
Choose in "Install Local File From:" =Text Editor, Press Install
In the window that opens add the following lines:
<forward>
server_url.dns_lookup(ipv4 -only)
Press Install
Retry access
I have a clarifying question too:
Is your internal domain nit.disa.mil ?
You pointed out that in your question:
Network > DNS > Imputing > added nit.disa.mil
If so, why would you want to access your internal site through BC?
Open ProxySG GUI -->Configuration-->Policy-
Choose in "Install Local File From:" =Text Editor, Press Install
In the window that opens add the following lines:
<forward>
server_url.dns_lookup(ipv4
Press Install
Retry access
I have a clarifying question too:
Is your internal domain nit.disa.mil ?
You pointed out that in your question:
Network > DNS > Imputing > added nit.disa.mil
If so, why would you want to access your internal site through BC?
ASKER
I was able to install the policy globally with destination any.
However, the issue is still there so I've also added the SSL intercept rule with destination any and it's still taking a long time to load the page.
So my current policy looks like this:
Policy > Policy Files > Current Policy > View:
; Installed Policy -- compiled at: Mon, 15 Nov 2010 16:07:07 UTC
; Default proxy policy is ALLOW
; Policy Rules
<ssl>
client.certificate.validat e(no) server.certificate.validat e(no)
<ssl-intercept>
ssl.forward_proxy(no)
<Forward>
server_url.dns_lookup(ipv4 -only)
Any other things I should try?
About the domain, I've created the domain in the lab for internal testing at one point but we're using the real one externally now. I've deleted the domain nit.disa.mil from BC just now.
However, the issue is still there so I've also added the SSL intercept rule with destination any and it's still taking a long time to load the page.
So my current policy looks like this:
Policy > Policy Files > Current Policy > View:
; Installed Policy -- compiled at: Mon, 15 Nov 2010 16:07:07 UTC
; Default proxy policy is ALLOW
; Policy Rules
<ssl>
client.certificate.validat
<ssl-intercept>
ssl.forward_proxy(no)
<Forward>
server_url.dns_lookup(ipv4
Any other things I should try?
About the domain, I've created the domain in the lab for internal testing at one point but we're using the real one externally now. I've deleted the domain nit.disa.mil from BC just now.
When yo eventually access the site, check the certificate
Do you see your BC in the certificate chain?
If yes,
Please build this - it looks like you have not done that yet:
add in SSL Intercept Layer the following rule :
Source"Any"-->Destination" yoursite"- ->Service "Any" --> Action "Disable SSL interception"
If that does not help, try to do some troubleshooting :
1. check the access on other WS - to make sure it is a global problem
2. use IEinspector (wich can be downloaded as a trial) in stand-alone mode, while accessing the site - it may show where else my WS tries to go using http/https
3. run wireshark - to show any other traffic that may interfere
4. configure tracing for the testing node by adding Web Access layer (rename it Debug) and configure the tracing rule according to the pic
access the tracing file using the following URL:https://"yourbc":8082/policy to see the results
I can help you with reading the debug file
If all of the above does not help you to find the problem, you should check with BC support
They have the tools and the labs to simulate your enviroment. It could be misconfiguration or a bug in your version.
Do you see your BC in the certificate chain?
If yes,
Please build this - it looks like you have not done that yet:
add in SSL Intercept Layer the following rule :
Source"Any"-->Destination"
If that does not help, try to do some troubleshooting :
1. check the access on other WS - to make sure it is a global problem
2. use IEinspector (wich can be downloaded as a trial) in stand-alone mode, while accessing the site - it may show where else my WS tries to go using http/https
3. run wireshark - to show any other traffic that may interfere
4. configure tracing for the testing node by adding Web Access layer (rename it Debug) and configure the tracing rule according to the pic
access the tracing file using the following URL:https://"yourbc":8082/policy to see the results
I can help you with reading the debug file
If all of the above does not help you to find the problem, you should check with BC support
They have the tools and the labs to simulate your enviroment. It could be misconfiguration or a bug in your version.
ASKER
Thanks for all your help btw.
I do not see the BC in the certificate chain but I went ahead and created the rule to disable SSL interception for that destination.
For 2 and 3, I'll do tomorrow and let you know the results.
For 1, yes it's global.
For 4, I'm attaching the results.
Can you try going to the site https://tms-tps-1.c3pki.nit.disa.mil/cgi-bin/home/index.cgi through your BC from your end to see if it also takes a long time to load the page? It takes me a good 15 minutes to load the page through my BC.
I'm just curious.
matrix.txt
I do not see the BC in the certificate chain but I went ahead and created the rule to disable SSL interception for that destination.
For 2 and 3, I'll do tomorrow and let you know the results.
For 1, yes it's global.
For 4, I'm attaching the results.
Can you try going to the site https://tms-tps-1.c3pki.nit.disa.mil/cgi-bin/home/index.cgi through your BC from your end to see if it also takes a long time to load the page? It takes me a good 15 minutes to load the page through my BC.
I'm just curious.
matrix.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
.
Thanks
ASKER
Although I found the solution, Ellush helped out so I'm awarding the points.