Solved

Bluecoast proxy https site takes a long time to load

Posted on 2010-11-13
16
2,300 Views
Last Modified: 2012-05-10
Hello

I'm using Bluecoat proxy
Software Version: SGOS 5.3.1.9 Proxy Edition
Model: 210-10

When going through bluecoat proxy, this particular SSL site takes forever to load (10-15 minutes) whereas other https sites load just fine.  When not going through bluecoat proxy, that particular site loads fine.

The site is: https://tms-tps-1.c3pki.nit.disa.mil:443/cgi-bin/home/index.cgi

Any suggestions?  I didn't see any errors in the log.

Below are my current settings:
Network > DNS > Imputing > added nit.disa.mil

Forwarding > Forwarding Hosts >
alias: tms-tps-1.c3pki
Host: 198.154.68.140
Type: server
Ports: HTTPS 443
Verify SSL Certificate: unchecked


Proxy Settings > SSL Proxy:
Issuer keyring: default
CCL for Client Certificates: <All CA Certificates>
CCL for Server Certificates: browser-trusted


Policy > Policy Files >
View File > Current Policy:
; Installed Policy -- compiled at: Sun, 14 Nov 2010 01:55:08 UTC
;     Default proxy policy is ALLOW
0
Comment
Question by:Lindows
  • 7
  • 7
  • 2
16 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 34129584
That site brings up an "Untrusted Connection" warning when I click on your link.  Is that the 'proxy' URL?  If so, what it the original URL?
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 34129585
If it's 'nit.disa.mil', Firefox says it can't be found.
0
 
LVL 2

Expert Comment

by:Ellush
ID: 34130472
I had an issue like this.Create a rule in a SSL access  layer :
Source "Any"-->destination"yoursite"-->Service "Any" --> Action" disable certificate validation +disable client certificate validation"
This rule will disable the destination server certificate expiration check for example

If that does not solve the problem,  add in SSL Intercept Layer the following rule :
Source"Any"-->Destination"yoursite"-->Service "Any" --> Action "Disable SSL interception"
This rule will leave the original certificate alone without BC playing the role "man in the middle"
0
 

Author Comment

by:Lindows
ID: 34132540
Hello guys,

Dave,
it's the actual url =  https://tms-tps-1.c3pki.nit.disa.mil:443/cgi-bin/home/index.cgi

Ellush:
I've tried adding the SSL access layer but it failed when trying the install the policy.

Policy > Visual Policy Manager > Launch > Policy > add access layer:
Source: any
Destination: Server URL: tms-tps-1.c3pki.nit.disa.mil
(also tried Request URL: tms-tps-1.c3pki.nit.disa.mil,
 Destination: tms-tps-1.c3pki.nit.disa.mil:80-443(contains))
Action: Do not require client certificate


When I clicked on install policy, it errored out with:
Policy installation
Compiling new configuration file: Inline configuration
Sun, 14 Nov 2010 22:11:47 UTC
Error: Late condition 'url.domain=//tms-tps-1.c3pki.nit.disa.mil/' guards early action: 'client.certificate.require(no)'
cpl.vpm:13:       url.domain="tms-tps-1.c3pki.nit.disa.mil" client.certificate.require(no) trace.request(yes) trace.rules(all)      ; Rule 1

There was 1 error and 0 warnings

Any ideas?





0
 
LVL 2

Expert Comment

by:Ellush
ID: 34133651
Your version is almost as mine: you should have the same objects as I mentioned:
"disable certificate validation" and "disable client certificate validation"
These are not the same as you used: "Action: Do not require client certificate"
Also, try to change the destination object to :
"Request URL" type is good, use advanced part (pic 1)
Try to install again - order of the layers is important too - as I understand you did not have a SSL access layer at all ?
1.png
0
 

Author Comment

by:Lindows
ID: 34133938
Ok, I was able to create a rule with "disable certificate validation" and "disable client certificate validation" objects howerver, I'm not able to install the policy.

Here are my steps:
Action:
Set > New >  Client Certificate Validation > selected "Disable client certificate validation"
Set > New >  Server Server Validation > selected "Disable Server certificate validation"
Set > New > Combined Action object > added the above two objects and applied this combined object for the Action.

Error Window says:
Messages:
Policy installation
Compiling new configuration file: Inline configuration
Mon, 15 Nov 2010 06:16:08 UTC
Error: Late condition 'url.host.substring=tms-tps-1.c3pki.nit.disa.mil' guards early action: 'client.certificate.validate(no)'


There was 1 error and 0 warnings

Condition Definitions:
define condition "tms-tps-1.c3pki.nit.disa.mil-Request URL"
      url.host.substring="tms-tps-1.c3pki.nit.disa.mil"
end condition "tms-tps-1.c3pki.nit.disa.mil-Request URL"

CPL:
;; Tab: [SSL Access Layer (1)]
<SSL>
      condition="tms-tps-1.c3pki.nit.disa.mil-Request URL" client.certificate.validate(no)      server.certificate.validate(no)            ; Rule 1
        
tps.png
0
 
LVL 2

Expert Comment

by:Ellush
ID: 34134154
Lets try to disable validation globally
Change destination to "Any" and try to install
0
 
LVL 2

Expert Comment

by:Ellush
ID: 34134184
Also I would try to disable IPV6 Lookups:
Open ProxySG GUI -->Configuration-->Policy-->Policy Files-->PolicyFiles Tab
Choose in "Install Local File From:" =Text Editor, Press Install
In the window that opens add the following lines:
<forward>
server_url.dns_lookup(ipv4-only)
Press Install
Retry access

I have a clarifying question too:
Is your internal domain nit.disa.mil ?
You pointed out that in your question:
Network > DNS > Imputing > added nit.disa.mil
If so, why would you want to access your internal site through BC?

0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:Lindows
ID: 34137362
I was able to install the policy globally with destination any.
However, the issue is still there so I've also added the SSL intercept rule with destination any and it's still taking a long time to load the page.

So my current policy looks like this:
Policy > Policy Files > Current Policy > View:

; Installed Policy -- compiled at: Mon, 15 Nov 2010 16:07:07 UTC
;     Default proxy policy is ALLOW

; Policy Rules
<ssl>
    client.certificate.validate(no) server.certificate.validate(no)

<ssl-intercept>
    ssl.forward_proxy(no)

<Forward>
    server_url.dns_lookup(ipv4-only)


Any other things I should try?

About the domain, I've created the domain in the lab for internal testing at one point but we're using the real one externally now.  I've deleted the domain nit.disa.mil from BC just now.
0
 
LVL 2

Expert Comment

by:Ellush
ID: 34138087
When yo eventually access the site, check the certificate
Do you see your BC in the certificate chain?
If yes,
Please build this  - it looks like you have not done that yet:
add in SSL Intercept Layer the following rule :
Source"Any"-->Destination"yoursite"-->Service "Any" --> Action "Disable SSL interception"

If that does not help, try to do some troubleshooting :
1. check the access on other WS  - to make sure it is a global problem
2. use IEinspector (wich can be downloaded as a trial) in stand-alone mode, while accessing the site - it may show where else my WS tries to go using http/https
3. run wireshark   - to show any other traffic  that may interfere
4. configure tracing for the testing node by adding Web Access layer (rename it Debug) and configure the tracing rule according to the pic

 debug layeraccess the tracing file using the following URL:https://"yourbc":8082/policy to see the results
I can help you with reading the debug file
If all of the above does not help you to find the problem, you should check with BC support
They have the tools and the labs to simulate your enviroment. It could be misconfiguration or a bug   in your version.
0
 

Author Comment

by:Lindows
ID: 34142891
Thanks for all your help btw.

I do not see the BC in the certificate chain but I went ahead and created the rule to disable SSL interception for that destination.
For 2 and 3, I'll do tomorrow and let you know the results.
For 1, yes it's global.
For 4, I'm attaching the results.

Can you try going to the site https://tms-tps-1.c3pki.nit.disa.mil/cgi-bin/home/index.cgi through your BC from your end to see if it also takes a long time to load the page?  It takes me a good 15 minutes to load the page through my BC.

I'm just curious.

 matrix.txt
0
 
LVL 2

Assisted Solution

by:Ellush
Ellush earned 500 total points
ID: 34143085
I can access your site  - no problem at all
Takes 2 seconds
0
 

Accepted Solution

by:
Lindows earned 0 total points
ID: 34181266
I disabled RFC 1323 and it fixed the slowness.
https://kb.bluecoat.com/index?page=content&id=KB3754&actp=RSS

Thanks for you help!
0
 

Author Comment

by:Lindows
ID: 34181918
.
0
 
LVL 2

Expert Comment

by:Ellush
ID: 34182222
Thanks
0
 

Author Closing Comment

by:Lindows
ID: 34211379
Although I found the solution, Ellush helped out so I'm awarding the points.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now