Link to home
Start Free TrialLog in
Avatar of Lindows
Lindows

asked on

Bluecoast proxy https site takes a long time to load

Hello

I'm using Bluecoat proxy
Software Version: SGOS 5.3.1.9 Proxy Edition
Model: 210-10

When going through bluecoat proxy, this particular SSL site takes forever to load (10-15 minutes) whereas other https sites load just fine.  When not going through bluecoat proxy, that particular site loads fine.

The site is: https://tms-tps-1.c3pki.nit.disa.mil:443/cgi-bin/home/index.cgi

Any suggestions?  I didn't see any errors in the log.

Below are my current settings:
Network > DNS > Imputing > added nit.disa.mil

Forwarding > Forwarding Hosts > 
alias: tms-tps-1.c3pki
Host: 198.154.68.140
Type: server
Ports: HTTPS 443
Verify SSL Certificate: unchecked


Proxy Settings > SSL Proxy:
Issuer keyring: default
CCL for Client Certificates: <All CA Certificates>
CCL for Server Certificates: browser-trusted


Policy > Policy Files >
View File > Current Policy:
; Installed Policy -- compiled at: Sun, 14 Nov 2010 01:55:08 UTC
;     Default proxy policy is ALLOW
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image

That site brings up an "Untrusted Connection" warning when I click on your link.  Is that the 'proxy' URL?  If so, what it the original URL?
If it's 'nit.disa.mil', Firefox says it can't be found.
I had an issue like this.Create a rule in a SSL access  layer :
Source "Any"-->destination"yoursite"-->Service "Any" --> Action" disable certificate validation +disable client certificate validation"
This rule will disable the destination server certificate expiration check for example

If that does not solve the problem,  add in SSL Intercept Layer the following rule :
Source"Any"-->Destination"yoursite"-->Service "Any" --> Action "Disable SSL interception"
This rule will leave the original certificate alone without BC playing the role "man in the middle"
Avatar of Lindows
Lindows

ASKER

Hello guys,

Dave,
it's the actual url =  https://tms-tps-1.c3pki.nit.disa.mil:443/cgi-bin/home/index.cgi

Ellush:
I've tried adding the SSL access layer but it failed when trying the install the policy.

Policy > Visual Policy Manager > Launch > Policy > add access layer:
Source: any
Destination: Server URL: tms-tps-1.c3pki.nit.disa.mil
(also tried Request URL: tms-tps-1.c3pki.nit.disa.mil,
 Destination: tms-tps-1.c3pki.nit.disa.mil:80-443(contains))
Action: Do not require client certificate


When I clicked on install policy, it errored out with:
Policy installation
Compiling new configuration file: Inline configuration
Sun, 14 Nov 2010 22:11:47 UTC
Error: Late condition 'url.domain=//tms-tps-1.c3pki.nit.disa.mil/' guards early action: 'client.certificate.require(no)'
cpl.vpm:13:       url.domain="tms-tps-1.c3pki.nit.disa.mil" client.certificate.require(no) trace.request(yes) trace.rules(all)      ; Rule 1

There was 1 error and 0 warnings

Any ideas?





Your version is almost as mine: you should have the same objects as I mentioned:
"disable certificate validation" and "disable client certificate validation"
These are not the same as you used: "Action: Do not require client certificate"
Also, try to change the destination object to :
"Request URL" type is good, use advanced part (pic 1)
Try to install again - order of the layers is important too - as I understand you did not have a SSL access layer at all ?
1.png
Avatar of Lindows

ASKER

Ok, I was able to create a rule with "disable certificate validation" and "disable client certificate validation" objects howerver, I'm not able to install the policy.

Here are my steps:
Action:
Set > New >  Client Certificate Validation > selected "Disable client certificate validation"
Set > New >  Server Server Validation > selected "Disable Server certificate validation"
Set > New > Combined Action object > added the above two objects and applied this combined object for the Action.

Error Window says:
Messages:
Policy installation
Compiling new configuration file: Inline configuration
Mon, 15 Nov 2010 06:16:08 UTC
Error: Late condition 'url.host.substring=tms-tps-1.c3pki.nit.disa.mil' guards early action: 'client.certificate.validate(no)'


There was 1 error and 0 warnings

Condition Definitions:
define condition "tms-tps-1.c3pki.nit.disa.mil-Request URL"
      url.host.substring="tms-tps-1.c3pki.nit.disa.mil"
end condition "tms-tps-1.c3pki.nit.disa.mil-Request URL"

CPL:
;; Tab: [SSL Access Layer (1)]
<SSL>
      condition="tms-tps-1.c3pki.nit.disa.mil-Request URL" client.certificate.validate(no)      server.certificate.validate(no)            ; Rule 1
        
tps.png
Lets try to disable validation globally
Change destination to "Any" and try to install
Also I would try to disable IPV6 Lookups:
Open ProxySG GUI -->Configuration-->Policy-->Policy Files-->PolicyFiles Tab
Choose in "Install Local File From:" =Text Editor, Press Install
In the window that opens add the following lines:
<forward>
server_url.dns_lookup(ipv4-only)
Press Install
Retry access

I have a clarifying question too:
Is your internal domain nit.disa.mil ?
You pointed out that in your question:
Network > DNS > Imputing > added nit.disa.mil
If so, why would you want to access your internal site through BC?

Avatar of Lindows

ASKER

I was able to install the policy globally with destination any.
However, the issue is still there so I've also added the SSL intercept rule with destination any and it's still taking a long time to load the page.

So my current policy looks like this:
Policy > Policy Files > Current Policy > View:

; Installed Policy -- compiled at: Mon, 15 Nov 2010 16:07:07 UTC
;     Default proxy policy is ALLOW

; Policy Rules
<ssl>
    client.certificate.validate(no) server.certificate.validate(no)

<ssl-intercept>
    ssl.forward_proxy(no)

<Forward>
    server_url.dns_lookup(ipv4-only)


Any other things I should try?

About the domain, I've created the domain in the lab for internal testing at one point but we're using the real one externally now.  I've deleted the domain nit.disa.mil from BC just now.
When yo eventually access the site, check the certificate
Do you see your BC in the certificate chain?
If yes,
Please build this  - it looks like you have not done that yet:
add in SSL Intercept Layer the following rule :
Source"Any"-->Destination"yoursite"-->Service "Any" --> Action "Disable SSL interception"

If that does not help, try to do some troubleshooting :
1. check the access on other WS  - to make sure it is a global problem
2. use IEinspector (wich can be downloaded as a trial) in stand-alone mode, while accessing the site - it may show where else my WS tries to go using http/https
3. run wireshark   - to show any other traffic  that may interfere
4. configure tracing for the testing node by adding Web Access layer (rename it Debug) and configure the tracing rule according to the pic

 User generated imageaccess the tracing file using the following URL:https://"yourbc":8082/policy to see the results
I can help you with reading the debug file
If all of the above does not help you to find the problem, you should check with BC support
They have the tools and the labs to simulate your enviroment. It could be misconfiguration or a bug   in your version.
Avatar of Lindows

ASKER

Thanks for all your help btw.

I do not see the BC in the certificate chain but I went ahead and created the rule to disable SSL interception for that destination.
For 2 and 3, I'll do tomorrow and let you know the results.
For 1, yes it's global.
For 4, I'm attaching the results.

Can you try going to the site https://tms-tps-1.c3pki.nit.disa.mil/cgi-bin/home/index.cgi through your BC from your end to see if it also takes a long time to load the page?  It takes me a good 15 minutes to load the page through my BC.

I'm just curious.

 matrix.txt
SOLUTION
Avatar of Ellush
Ellush
Flag of Israel image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Lindows

ASKER

.
Thanks
Avatar of Lindows

ASKER

Although I found the solution, Ellush helped out so I'm awarding the points.