Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2883
  • Last Modified:

Bluecoast proxy https site takes a long time to load

Hello

I'm using Bluecoat proxy
Software Version: SGOS 5.3.1.9 Proxy Edition
Model: 210-10

When going through bluecoat proxy, this particular SSL site takes forever to load (10-15 minutes) whereas other https sites load just fine.  When not going through bluecoat proxy, that particular site loads fine.

The site is: https://tms-tps-1.c3pki.nit.disa.mil:443/cgi-bin/home/index.cgi

Any suggestions?  I didn't see any errors in the log.

Below are my current settings:
Network > DNS > Imputing > added nit.disa.mil

Forwarding > Forwarding Hosts > 
alias: tms-tps-1.c3pki
Host: 198.154.68.140
Type: server
Ports: HTTPS 443
Verify SSL Certificate: unchecked


Proxy Settings > SSL Proxy:
Issuer keyring: default
CCL for Client Certificates: <All CA Certificates>
CCL for Server Certificates: browser-trusted


Policy > Policy Files >
View File > Current Policy:
; Installed Policy -- compiled at: Sun, 14 Nov 2010 01:55:08 UTC
;     Default proxy policy is ALLOW
0
Lindows
Asked:
Lindows
  • 7
  • 7
  • 2
2 Solutions
 
Dave BaldwinFixer of ProblemsCommented:
That site brings up an "Untrusted Connection" warning when I click on your link.  Is that the 'proxy' URL?  If so, what it the original URL?
0
 
Dave BaldwinFixer of ProblemsCommented:
If it's 'nit.disa.mil', Firefox says it can't be found.
0
 
EllushCommented:
I had an issue like this.Create a rule in a SSL access  layer :
Source "Any"-->destination"yoursite"-->Service "Any" --> Action" disable certificate validation +disable client certificate validation"
This rule will disable the destination server certificate expiration check for example

If that does not solve the problem,  add in SSL Intercept Layer the following rule :
Source"Any"-->Destination"yoursite"-->Service "Any" --> Action "Disable SSL interception"
This rule will leave the original certificate alone without BC playing the role "man in the middle"
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LindowsAuthor Commented:
Hello guys,

Dave,
it's the actual url =  https://tms-tps-1.c3pki.nit.disa.mil:443/cgi-bin/home/index.cgi

Ellush:
I've tried adding the SSL access layer but it failed when trying the install the policy.

Policy > Visual Policy Manager > Launch > Policy > add access layer:
Source: any
Destination: Server URL: tms-tps-1.c3pki.nit.disa.mil
(also tried Request URL: tms-tps-1.c3pki.nit.disa.mil,
 Destination: tms-tps-1.c3pki.nit.disa.mil:80-443(contains))
Action: Do not require client certificate


When I clicked on install policy, it errored out with:
Policy installation
Compiling new configuration file: Inline configuration
Sun, 14 Nov 2010 22:11:47 UTC
Error: Late condition 'url.domain=//tms-tps-1.c3pki.nit.disa.mil/' guards early action: 'client.certificate.require(no)'
cpl.vpm:13:       url.domain="tms-tps-1.c3pki.nit.disa.mil" client.certificate.require(no) trace.request(yes) trace.rules(all)      ; Rule 1

There was 1 error and 0 warnings

Any ideas?





0
 
EllushCommented:
Your version is almost as mine: you should have the same objects as I mentioned:
"disable certificate validation" and "disable client certificate validation"
These are not the same as you used: "Action: Do not require client certificate"
Also, try to change the destination object to :
"Request URL" type is good, use advanced part (pic 1)
Try to install again - order of the layers is important too - as I understand you did not have a SSL access layer at all ?
1.png
0
 
LindowsAuthor Commented:
Ok, I was able to create a rule with "disable certificate validation" and "disable client certificate validation" objects howerver, I'm not able to install the policy.

Here are my steps:
Action:
Set > New >  Client Certificate Validation > selected "Disable client certificate validation"
Set > New >  Server Server Validation > selected "Disable Server certificate validation"
Set > New > Combined Action object > added the above two objects and applied this combined object for the Action.

Error Window says:
Messages:
Policy installation
Compiling new configuration file: Inline configuration
Mon, 15 Nov 2010 06:16:08 UTC
Error: Late condition 'url.host.substring=tms-tps-1.c3pki.nit.disa.mil' guards early action: 'client.certificate.validate(no)'


There was 1 error and 0 warnings

Condition Definitions:
define condition "tms-tps-1.c3pki.nit.disa.mil-Request URL"
      url.host.substring="tms-tps-1.c3pki.nit.disa.mil"
end condition "tms-tps-1.c3pki.nit.disa.mil-Request URL"

CPL:
;; Tab: [SSL Access Layer (1)]
<SSL>
      condition="tms-tps-1.c3pki.nit.disa.mil-Request URL" client.certificate.validate(no)      server.certificate.validate(no)            ; Rule 1
        
tps.png
0
 
EllushCommented:
Lets try to disable validation globally
Change destination to "Any" and try to install
0
 
EllushCommented:
Also I would try to disable IPV6 Lookups:
Open ProxySG GUI -->Configuration-->Policy-->Policy Files-->PolicyFiles Tab
Choose in "Install Local File From:" =Text Editor, Press Install
In the window that opens add the following lines:
<forward>
server_url.dns_lookup(ipv4-only)
Press Install
Retry access

I have a clarifying question too:
Is your internal domain nit.disa.mil ?
You pointed out that in your question:
Network > DNS > Imputing > added nit.disa.mil
If so, why would you want to access your internal site through BC?

0
 
LindowsAuthor Commented:
I was able to install the policy globally with destination any.
However, the issue is still there so I've also added the SSL intercept rule with destination any and it's still taking a long time to load the page.

So my current policy looks like this:
Policy > Policy Files > Current Policy > View:

; Installed Policy -- compiled at: Mon, 15 Nov 2010 16:07:07 UTC
;     Default proxy policy is ALLOW

; Policy Rules
<ssl>
    client.certificate.validate(no) server.certificate.validate(no)

<ssl-intercept>
    ssl.forward_proxy(no)

<Forward>
    server_url.dns_lookup(ipv4-only)


Any other things I should try?

About the domain, I've created the domain in the lab for internal testing at one point but we're using the real one externally now.  I've deleted the domain nit.disa.mil from BC just now.
0
 
EllushCommented:
When yo eventually access the site, check the certificate
Do you see your BC in the certificate chain?
If yes,
Please build this  - it looks like you have not done that yet:
add in SSL Intercept Layer the following rule :
Source"Any"-->Destination"yoursite"-->Service "Any" --> Action "Disable SSL interception"

If that does not help, try to do some troubleshooting :
1. check the access on other WS  - to make sure it is a global problem
2. use IEinspector (wich can be downloaded as a trial) in stand-alone mode, while accessing the site - it may show where else my WS tries to go using http/https
3. run wireshark   - to show any other traffic  that may interfere
4. configure tracing for the testing node by adding Web Access layer (rename it Debug) and configure the tracing rule according to the pic

 debug layeraccess the tracing file using the following URL:https://"yourbc":8082/policy to see the results
I can help you with reading the debug file
If all of the above does not help you to find the problem, you should check with BC support
They have the tools and the labs to simulate your enviroment. It could be misconfiguration or a bug   in your version.
0
 
LindowsAuthor Commented:
Thanks for all your help btw.

I do not see the BC in the certificate chain but I went ahead and created the rule to disable SSL interception for that destination.
For 2 and 3, I'll do tomorrow and let you know the results.
For 1, yes it's global.
For 4, I'm attaching the results.

Can you try going to the site https://tms-tps-1.c3pki.nit.disa.mil/cgi-bin/home/index.cgi through your BC from your end to see if it also takes a long time to load the page?  It takes me a good 15 minutes to load the page through my BC.

I'm just curious.

 matrix.txt
0
 
EllushCommented:
I can access your site  - no problem at all
Takes 2 seconds
0
 
LindowsAuthor Commented:
I disabled RFC 1323 and it fixed the slowness.
https://kb.bluecoat.com/index?page=content&id=KB3754&actp=RSS

Thanks for you help!
0
 
LindowsAuthor Commented:
.
0
 
EllushCommented:
Thanks
0
 
LindowsAuthor Commented:
Although I found the solution, Ellush helped out so I'm awarding the points.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now