Fletch_r21
asked on
Netscaler VPN clients unable to connect to HTTPS websites via a Bluecoat Web Proxy server on port 80 (but it works on 8080)
Hi Guys
Our Netscaler VPN clients are able to connect to the network and reach the Bluecoate Proxy on the network layer (port 80), but when we try to browse to HTTPS Internet websites, the connections seem to get dropped. Internet sites on HTTP work fine.
Our Bluecoat Proxy (hosted in a managed network that we have no access to) also listens on port 8080. if we configure the Netscalers to use the web proxy on port 8080, the issue is resolved. i.e. both HTTP and HTTPS work fine.
Unfortunately, we have a particular business requirement to get this working on port 80. Port 8080 can not be used at present.
Could anyone point me in the right direction?
Thanks
Mihail
Our Netscaler VPN clients are able to connect to the network and reach the Bluecoate Proxy on the network layer (port 80), but when we try to browse to HTTPS Internet websites, the connections seem to get dropped. Internet sites on HTTP work fine.
Our Bluecoat Proxy (hosted in a managed network that we have no access to) also listens on port 8080. if we configure the Netscalers to use the web proxy on port 8080, the issue is resolved. i.e. both HTTP and HTTPS work fine.
Unfortunately, we have a particular business requirement to get this working on port 80. Port 8080 can not be used at present.
Could anyone point me in the right direction?
Thanks
Mihail
https uses port 443 not port 80
Thanks for your comment, Arnold.
We have tried to trace the traffic as it is leaving the netscaler for the BlueCoat webproxy and the conclusion was that no traffic was leaving the netscaler when we attempted to connect to HTTPS websites (it worked for http sites fine).
so I cant t "check whether the Netscreen detects and rejects the encrypted data within port 80" as it doesn't appear to be sending it out on port 80. Where would this rule be configured on the netscaler? Can we override it?
Many thanks
m
We have tried to trace the traffic as it is leaving the netscaler for the BlueCoat webproxy and the conclusion was that no traffic was leaving the netscaler when we attempted to connect to HTTPS websites (it worked for http sites fine).
so I cant t "check whether the Netscreen detects and rejects the encrypted data within port 80" as it doesn't appear to be sending it out on port 80. Where would this rule be configured on the netscaler? Can we override it?
Many thanks
m
Also, the business requirement is for a Netscaler VPN client to be able to connect Outlook to their Office 365 mailbox via another Bluecoat web proxy that does not have port 8080 open. so we have to get it working for port 80...
Often deep inspection detects encrypted data going through port 80 as a concern......
Please check your logs whether you can locate event that sheds light on your situation.
Check with the vendor.
Please check your logs whether you can locate event that sheds light on your situation.
Check with the vendor.
ASKER
Arnold, do you mean check the logs on the BlueCoat proxy? we don't have access to these logs so it a bit problematic.
Last time we performed these assessment it was concluded that HTTPS traffic was not leaving the netscaler. i.e. nothing was reaching the proxy when HTTP requests were made from the client.
If you were referring to the Netscaler (v11) logs, coudl you please clarify which ones?
Last time we performed these assessment it was concluded that HTTPS traffic was not leaving the netscaler. i.e. nothing was reaching the proxy when HTTP requests were made from the client.
If you were referring to the Netscaler (v11) logs, coudl you please clarify which ones?
ASKER
p.s. the follwoing VRTX comments are mine:
Thanks for your comment, Arnold.
We have tried to trace the traffic as it is leaving the netscaler for the BlueCoat webproxy and the conclusion was that no traffic was leaving the netscaler when we attempted to connect to HTTPS websites (it worked for http sites fine).
so I cant t "check whether the Netscreen detects and rejects the encrypted data within port 80" as it doesn't appear to be sending it out on port 80. Where would this rule be configured on the netscaler? Can we override it?
Many thanks
----
Also, the business requirement is for a Netscaler VPN client to be able to connect Outlook to their Office 365 mailbox via another Bluecoat web proxy that does not have port 8080 open. so we have to get it working for port 80...
Thanks for your comment, Arnold.
We have tried to trace the traffic as it is leaving the netscaler for the BlueCoat webproxy and the conclusion was that no traffic was leaving the netscaler when we attempted to connect to HTTPS websites (it worked for http sites fine).
so I cant t "check whether the Netscreen detects and rejects the encrypted data within port 80" as it doesn't appear to be sending it out on port 80. Where would this rule be configured on the netscaler? Can we override it?
Many thanks
----
Also, the business requirement is for a Netscaler VPN client to be able to connect Outlook to their Office 365 mailbox via another Bluecoat web proxy that does not have port 8080 open. so we have to get it working for port 80...
Can you check whether you are diverting port 443 traffic to a proxy via port 80?
Redirecting encrypted traffic is not possible as there is no way to access what the request is.
Usually, a proxy handler for secure communication merely establishes a tunnel/connection through which the client then negotiates the session with the end ..
Redirecting encrypted traffic is not possible as there is no way to access what the request is.
Usually, a proxy handler for secure communication merely establishes a tunnel/connection through which the client then negotiates the session with the end ..
ASKER
Do you mean "are we diverting port 443 traffic to a proxy via port 80" using the Nescaler functionality? How can i check this?
How are proxy settings deployed in your environment? Are you using transparent mode diverting requests on port 80 to the proxy? If so what do you do for port 443 destined requests. If you push proxy settings or publish them using DNS/DHCP
When you reference port 8080 is that an instance of net scalar that you configure to listen on that port ?often port 8080 is a tomcat unsecured port so it is unclear what you are comparing. As commonly both port 80 and 8080 are unencrypted data streams.
If you have a Linux/UNIX system, or instal, OpenSSL on a Windows system
From the command line in either run, openssl s_client -connect anysecureurl:443
And see what happens. Are you connected destination and can make request
HEAD HTTPS://www.theurl.com HTTP/1.1
HOst:
REferrer:
When you reference port 8080 is that an instance of net scalar that you configure to listen on that port ?often port 8080 is a tomcat unsecured port so it is unclear what you are comparing. As commonly both port 80 and 8080 are unencrypted data streams.
If you have a Linux/UNIX system, or instal, OpenSSL on a Windows system
From the command line in either run, openssl s_client -connect anysecureurl:443
And see what happens. Are you connected destination and can make request
HEAD HTTPS://www.theurl.com HTTP/1.1
HOst:
REferrer:
Hi There,
Found these two links.
http://docplayer.net/6624924-Blue-coat-security-first-steps-solution-for-controlling-https.html
http://discussions.citrix.com/topic/350825-netscaler-gateway-access-intermittent-access-problem/ (Check for bluecoat specifically).
Kindly confirm if the bluecoat device is deployed in transparent/explicit mode.
Found these two links.
http://docplayer.net/6624924-Blue-coat-security-first-steps-solution-for-controlling-https.html
http://discussions.citrix.com/topic/350825-netscaler-gateway-access-intermittent-access-problem/ (Check for bluecoat specifically).
Kindly confirm if the bluecoat device is deployed in transparent/explicit mode.
ASKER
Arnold
Please see the results below of the OpenSSL Test you have asked us to run:
Internal LAN
OpenSSL> s_client -host www.google.co.uk -port 443
Loading 'screen' into random state - done
CONNECTED(00000168)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mo untain View/O=Google Inc/CN=google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equif ax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIgHDCCHwSgAwIBAgIIN7KozY lEyWEwDQYJ KoZIhvcNAQ ELBQAwSTEL MAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2 dsZSBJbmMx JTAjBgNVBA MTHEdvb2ds ZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHh cNMTYwNTA0 MDkzMTAzWh cNMTYwNzI3 MDgzOTAw
WjBkMQswCQYDVQQGEwJVUzETMB EGA1UECAwK Q2FsaWZvcm 5pYTEWMBQG A1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1 UECgwKR29v Z2xlIEluYz ETMBEGA1UE AwwKZ29v
Z2xlLmNvbTCCASIwDQYJKoZIhv cNAQEBBQAD ggEPADCCAQ oCggEBAMHf FzeHfak7
LBcmg8UXFIEnSNC/HW8UdX0A1P T8Gp/f49qO aNFlUOhKye Mc+D7dVpv6 YiHvN3Fx
sgJHL0qKVvMF9h7fhO6UUlf2hL LBUKxnpdI5 eIUsIw2XnI SgGxxexa0i ocznVw69
yad0fL3iS7y0atkiT1h6YNdqq1 RFlOHH/L3U X9AOEliDSM 9TKAjFXnSA asQ0cmuw
6dsnTjH6kozz1+nrQooyUEwTNy uMRaEEWdWf 1FCg9pptIE MOo5+7ivX/ 7+zqK9dP
XXANjK0nM+WRs9xIyrvW3pGe5I ml+aOp4lnG LofGGp2j7M +CwNfq//6U 60w1oaro
sijYat7zAW0CAwEAAaOCHOswgh znMB0GA1Ud JQQWMBQGCC sGAQUFBwMB BggrBgEF
BQcDAjCCG7cGA1UdEQSCG64wgh uqggpnb29n bGUuY29tgg oqLjJtZG4u bmV0gg0q
LmFuZHJvaWQuY29tghYqLmFwcG VuZ2luZS5n b29nbGUuY2 9tghQqLmF1 LmRvdWJs
ZWNsaWNrLm5ldIILKi5jYy1kdC 5jb22CEiou Y2xvdWQuZ2 9vZ2xlLmNv bYIUKi5k
ZS5kb3VibGVjbGljay5uZXSCES ouZG91Ymxl Y2xpY2suY2 9tghEqLmRv dWJsZWNs
aWNrLm5ldIIVKi5mbHMuZG91Ym xlY2xpY2su bmV0ghQqLm ZyLmRvdWJs ZWNsaWNr
Lm5ldIIWKi5nb29nbGUtYW5hbH l0aWNzLmNv bYILKi5nb2 9nbGUuYWOC CyouZ29v
Z2xlLmFkggsqLmdvb2dsZS5hZY ILKi5nb29n bGUuYWaCCy ouZ29vZ2xl LmFnggsq
Lmdvb2dsZS5hbIILKi5nb29nbG UuYW2CCyou Z29vZ2xlLm FzggsqLmdv b2dsZS5h
dIILKi5nb29nbGUuYXqCCyouZ2 9vZ2xlLmJh ggsqLmdvb2 dsZS5iZYIL Ki5nb29n
bGUuYmaCCyouZ29vZ2xlLmJngg sqLmdvb2ds ZS5iaYILKi 5nb29nbGUu YmqCCyou
Z29vZ2xlLmJzggsqLmdvb2dsZS 5idIILKi5n b29nbGUuYn mCCyouZ29v Z2xlLmNh
ggwqLmdvb2dsZS5jYXSCCyouZ2 9vZ2xlLmNj ggsqLmdvb2 dsZS5jZIIL Ki5nb29n
bGUuY2aCCyouZ29vZ2xlLmNngg sqLmdvb2ds ZS5jaIILKi 5nb29nbGUu Y2mCCyou
Z29vZ2xlLmNsggsqLmdvb2dsZS 5jbYILKi5n b29nbGUuY2 6CDiouZ29v Z2xlLmNv
LmFvgg4qLmdvb2dsZS5jby5id4 IOKi5nb29n bGUuY28uY2 uCDiouZ29v Z2xlLmNv
LmNygg4qLmdvb2dsZS5jby5odY IOKi5nb29n bGUuY28uaW SCDiouZ29v Z2xlLmNv
Lmlsgg4qLmdvb2dsZS5jby5pbY IOKi5nb29n bGUuY28uaW 6CDiouZ29v Z2xlLmNv
Lmplgg4qLmdvb2dsZS5jby5qcI IOKi5nb29n bGUuY28ua2 WCDiouZ29v Z2xlLmNv
Lmtygg4qLmdvb2dsZS5jby5sc4 IOKi5nb29n bGUuY28ubW GCDiouZ29v Z2xlLmNv
Lm16gg4qLmdvb2dsZS5jby5ueo IOKi5nb29n bGUuY28udG iCDiouZ29v Z2xlLmNv
LnR6gg4qLmdvb2dsZS5jby51Z4 IOKi5nb29n bGUuY28udW uCDiouZ29v Z2xlLmNv
LnV6gg4qLmdvb2dsZS5jby52ZY IOKi5nb29n bGUuY28udm mCDiouZ29v Z2xlLmNv
Lnphgg4qLmdvb2dsZS5jby56bY IOKi5nb29n bGUuY28uen eCDCouZ29v Z2xlLmNv
bYIPKi5nb29nbGUuY29tLmFmgg 8qLmdvb2ds ZS5jb20uYW eCDyouZ29v Z2xlLmNv
bS5haYIPKi5nb29nbGUuY29tLm Fygg8qLmdv b2dsZS5jb2 0uYXWCDyou Z29vZ2xl
LmNvbS5iZIIPKi5nb29nbGUuY2 9tLmJogg8q Lmdvb2dsZS 5jb20uYm6C DyouZ29v
Z2xlLmNvbS5ib4IPKi5nb29nbG UuY29tLmJy gg8qLmdvb2 dsZS5jb20u YnmCDyou
Z29vZ2xlLmNvbS5ieoIPKi5nb2 9nbGUuY29t LmNugg8qLm dvb2dsZS5j b20uY2+C
DyouZ29vZ2xlLmNvbS5jdYIPKi 5nb29nbGUu Y29tLmN5gg 8qLmdvb2ds ZS5jb20u
ZG+CDyouZ29vZ2xlLmNvbS5lY4 IPKi5nb29n bGUuY29tLm Vngg8qLmdv b2dsZS5j
b20uZXSCDyouZ29vZ2xlLmNvbS 5maoIPKi5n b29nbGUuY2 9tLmdlgg8q Lmdvb2ds
ZS5jb20uZ2iCDyouZ29vZ2xlLm NvbS5naYIP Ki5nb29nbG UuY29tLmdy gg8qLmdv
b2dsZS5jb20uZ3SCDyouZ29vZ2 xlLmNvbS5o a4IPKi5nb2 9nbGUuY29t Lmlxgg8q
Lmdvb2dsZS5jb20uam2CDyouZ2 9vZ2xlLmNv bS5qb4IPKi 5nb29nbGUu Y29tLmto
gg8qLmdvb2dsZS5jb20ua3eCDy ouZ29vZ2xl LmNvbS5sYo IPKi5nb29n bGUuY29t
Lmx5gg8qLmdvb2dsZS5jb20ubW 2CDyouZ29v Z2xlLmNvbS 5tdIIPKi5n b29nbGUu
Y29tLm14gg8qLmdvb2dsZS5jb2 0ubXmCDyou Z29vZ2xlLm NvbS5uYYIP Ki5nb29n
bGUuY29tLm5mgg8qLmdvb2dsZS 5jb20ubmeC DyouZ29vZ2 xlLmNvbS5u aYIPKi5n
b29nbGUuY29tLm5wgg8qLmdvb2 dsZS5jb20u bnKCDyouZ2 9vZ2xlLmNv bS5vbYIP
Ki5nb29nbGUuY29tLnBhgg8qLm dvb2dsZS5j b20ucGWCDy ouZ29vZ2xl LmNvbS5w
Z4IPKi5nb29nbGUuY29tLnBogg 8qLmdvb2ds ZS5jb20ucG uCDyouZ29v Z2xlLmNv
bS5wbIIPKi5nb29nbGUuY29tLn Bygg8qLmdv b2dsZS5jb2 0ucHmCDyou Z29vZ2xl
LmNvbS5xYYIPKi5nb29nbGUuY2 9tLnJ1gg8q Lmdvb2dsZS 5jb20uc2GC DyouZ29v
Z2xlLmNvbS5zYoIPKi5nb29nbG UuY29tLnNn gg8qLmdvb2 dsZS5jb20u c2yCDyou
Z29vZ2xlLmNvbS5zdoIPKi5nb2 9nbGUuY29t LnRqgg8qLm dvb2dsZS5j b20udG6C
DyouZ29vZ2xlLmNvbS50coIPKi 5nb29nbGUu Y29tLnR3gg 8qLmdvb2ds ZS5jb20u
dWGCDyouZ29vZ2xlLmNvbS51eY IPKi5nb29n bGUuY29tLn Zjgg8qLmdv b2dsZS5j
b20udmWCDyouZ29vZ2xlLmNvbS 52boILKi5n b29nbGUuY3 aCCyouZ29v Z2xlLmN6
ggsqLmdvb2dsZS5kZYILKi5nb2 9nbGUuZGqC CyouZ29vZ2 xlLmRrggsq Lmdvb2ds
ZS5kbYILKi5nb29nbGUuZHqCCy ouZ29vZ2xl LmVlggsqLm dvb2dsZS5l c4IMKi5n
b29nbGUuZXVzggsqLmdvb2dsZS 5maYILKi5n b29nbGUuZm 2CCyouZ29v Z2xlLmZy
ggwqLmdvb2dsZS5mcmyCCyouZ2 9vZ2xlLmdh ggwqLmdvb2 dsZS5nYWyC CyouZ29v
Z2xlLmdlggsqLmdvb2dsZS5nZ4 ILKi5nb29n bGUuZ2yCCy ouZ29vZ2xl Lmdtggsq
Lmdvb2dsZS5ncIILKi5nb29nbG UuZ3KCCyou Z29vZ2xlLm d5ggsqLmdv b2dsZS5o
a4ILKi5nb29nbGUuaG6CCyouZ2 9vZ2xlLmhy ggsqLmdvb2 dsZS5odIIL Ki5nb29n
bGUuaHWCCyouZ29vZ2xlLmllgg sqLmdvb2ds ZS5pbYILKi 5nb29nbGUu aW6CDSou
Z29vZ2xlLmluZm+CCyouZ29vZ2 xlLmlxggsq Lmdvb2dsZS 5pcoILKi5n b29nbGUu
aXOCCyouZ29vZ2xlLml0gg4qLm dvb2dsZS5p dC5hb4ILKi 5nb29nbGUu amWCCyou
Z29vZ2xlLmpvgg0qLmdvb2dsZS 5qb2Jzggsq Lmdvb2dsZS 5qcIILKi5n b29nbGUu
a2eCCyouZ29vZ2xlLmtpggsqLm dvb2dsZS5r eoILKi5nb2 9nbGUubGGC CyouZ29v
Z2xlLmxpggsqLmdvb2dsZS5sa4 ILKi5nb29n bGUubHSCCy ouZ29vZ2xl Lmx1ggsq
Lmdvb2dsZS5sdoILKi5nb29nbG UubWSCCyou Z29vZ2xlLm 1lggsqLmdv b2dsZS5t
Z4ILKi5nb29nbGUubWuCCyouZ2 9vZ2xlLm1s ggsqLmdvb2 dsZS5tboIL Ki5nb29n
bGUubXOCCyouZ29vZ2xlLm11gg sqLmdvb2ds ZS5tdoILKi 5nb29nbGUu bXeCCyou
Z29vZ2xlLm5lgg4qLmdvb2dsZS 5uZS5qcIIM Ki5nb29nbG UubmV0ggsq Lmdvb2ds
ZS5uZ4ILKi5nb29nbGUubmyCCy ouZ29vZ2xl Lm5vggsqLm dvb2dsZS5u coILKi5n
b29nbGUubnWCDyouZ29vZ2xlLm 9mZi5haYIL Ki5nb29nbG UucGuCCyou Z29vZ2xl
LnBsggsqLmdvb2dsZS5wboILKi 5nb29nbGUu cHOCCyouZ2 9vZ2xlLnB0 ggsqLmdv
b2dsZS5yb4ILKi5nb29nbGUucn OCCyouZ29v Z2xlLnJ1gg sqLmdvb2ds ZS5yd4IL
Ki5nb29nbGUuc2OCCyouZ29vZ2 xlLnNlggsq Lmdvb2dsZS 5zaIILKi5n b29nbGUu
c2mCCyouZ29vZ2xlLnNrggsqLm dvb2dsZS5z bYILKi5nb2 9nbGUuc26C CyouZ29v
Z2xlLnNvggsqLmdvb2dsZS5zco ILKi5nb29n bGUuc3SCCy ouZ29vZ2xl LnRkggwq
Lmdvb2dsZS50ZWyCCyouZ29vZ2 xlLnRnggsq Lmdvb2dsZS 50a4ILKi5n b29nbGUu
dGyCCyouZ29vZ2xlLnRtggsqLm dvb2dsZS50 boILKi5nb2 9nbGUudG+C CyouZ29v
Z2xlLnR0ggsqLmdvb2dsZS51YY ILKi5nb29n bGUudXOCCy ouZ29vZ2xl LnV6ggsq
Lmdvb2dsZS52Z4ILKi5nb29nbG UudnWCCyou Z29vZ2xlLn dzghIqLmdv b2dsZWFk
YXBpcy5jb22CFSouZ29vZ2xlYW Rzc2Vydmlu Zy5jboIPKi 5nb29nbGVh cGlzLmNu
ghQqLmdvb2dsZWNvbW1lcmNlLm NvbYIWKi5n b29nbGV1c2 VyY29udGVu dC5jboIR
Ki5nb29nbGV2aWRlby5jb22CDC ouZ3N0YXRp Yy5jboINKi 5nc3RhdGlj LmNvbYIK
Ki5ndnQxLmNvbYIKKi5ndnQyLm NvbYIUKi5q cC5kb3VibG VjbGljay5u ZXSCFCou
bWV0cmljLmdzdGF0aWMuY29tgh QqLnVrLmRv dWJsZWNsaW NrLm5ldIIM Ki51cmNo
aW4uY29tghAqLnVybC5nb29nbG UuY29tghYq LnlvdXR1Ym Utbm9jb29r aWUuY29t
gg0qLnlvdXR1YmUuY29tghYqLn lvdXR1YmVl ZHVjYXRpb2 4uY29tggsq Lnl0aW1n
LmNvbYIVYWQubW8uZG91YmxlY2 xpY2submV0 ghphbmRyb2 lkLmNsaWVu dHMuZ29v
Z2xlLmNvbYILYW5kcm9pZC5jb2 2CD2RvdWJs ZWNsaWNrLm 5ldIIEZy5j b4IGZ29v
LmdsghRnb29nbGUtYW5hbHl0aW NzLmNvbYIJ Z29vZ2xlLm Fjgglnb29n bGUuYWSC
CWdvb2dsZS5hZYIJZ29vZ2xlLm Fmgglnb29n bGUuYWeCCW dvb2dsZS5h bIIJZ29v
Z2xlLmFtgglnb29nbGUuYXOCCW dvb2dsZS5h dIIJZ29vZ2 xlLmF6ggln b29nbGUu
YmGCCWdvb2dsZS5iZYIJZ29vZ2 xlLmJmggln b29nbGUuYm eCCWdvb2ds ZS5iaYIJ
Z29vZ2xlLmJqgglnb29nbGUuYn OCCWdvb2ds ZS5idIIJZ2 9vZ2xlLmJ5 gglnb29n
bGUuY2GCCmdvb2dsZS5jYXSCCW dvb2dsZS5j Y4IJZ29vZ2 xlLmNkggln b29nbGUu
Y2aCCWdvb2dsZS5jZ4IJZ29vZ2 xlLmNoggln b29nbGUuY2 mCCWdvb2ds ZS5jbIIJ
Z29vZ2xlLmNtgglnb29nbGUuY2 6CDGdvb2ds ZS5jby5hb4 IMZ29vZ2xl LmNvLmJ3
ggxnb29nbGUuY28uY2uCDGdvb2 dsZS5jby5j coIMZ29vZ2 xlLmNvLmh1 ggxnb29n
bGUuY28uaWSCDGdvb2dsZS5jby 5pbIIMZ29v Z2xlLmNvLm ltggxnb29n bGUuY28u
aW6CDGdvb2dsZS5jby5qZYIMZ2 9vZ2xlLmNv Lmpwggxnb2 9nbGUuY28u a2WCDGdv
b2dsZS5jby5rcoIMZ29vZ2xlLm NvLmxzggxn b29nbGUuY2 8ubWGCDGdv b2dsZS5j
by5teoIMZ29vZ2xlLmNvLm56gg xnb29nbGUu Y28udGiCDG dvb2dsZS5j by50eoIM
Z29vZ2xlLmNvLnVnggxnb29nbG UuY28udWuC DGdvb2dsZS 5jby51eoIM Z29vZ2xl
LmNvLnZlggxnb29nbGUuY28udm mCDGdvb2ds ZS5jby56YY IMZ29vZ2xl LmNvLnpt
ggxnb29nbGUuY28ueneCDWdvb2 dsZS5jb20u YWaCDWdvb2 dsZS5jb20u YWeCDWdv
b2dsZS5jb20uYWmCDWdvb2dsZS 5jb20uYXKC DWdvb2dsZS 5jb20uYXWC DWdvb2ds
ZS5jb20uYmSCDWdvb2dsZS5jb2 0uYmiCDWdv b2dsZS5jb2 0uYm6CDWdv b2dsZS5j
b20uYm+CDWdvb2dsZS5jb20uYn KCDWdvb2ds ZS5jb20uYn mCDWdvb2ds ZS5jb20u
YnqCDWdvb2dsZS5jb20uY26CDW dvb2dsZS5j b20uY2+CDW dvb2dsZS5j b20uY3WC
DWdvb2dsZS5jb20uY3mCDWdvb2 dsZS5jb20u ZG+CDWdvb2 dsZS5jb20u ZWOCDWdv
b2dsZS5jb20uZWeCDWdvb2dsZS 5jb20uZXSC DWdvb2dsZS 5jb20uZmqC DWdvb2ds
ZS5jb20uZ2WCDWdvb2dsZS5jb2 0uZ2iCDWdv b2dsZS5jb2 0uZ2mCDWdv b2dsZS5j
b20uZ3KCDWdvb2dsZS5jb20uZ3 SCDWdvb2ds ZS5jb20uaG uCDWdvb2ds ZS5jb20u
aXGCDWdvb2dsZS5jb20uam2CDW dvb2dsZS5j b20uam+CDW dvb2dsZS5j b20ua2iC
DWdvb2dsZS5jb20ua3eCDWdvb2 dsZS5jb20u bGKCDWdvb2 dsZS5jb20u bHmCDWdv
b2dsZS5jb20ubW2CDWdvb2dsZS 5jb20ubXSC DWdvb2dsZS 5jb20ubXiC DWdvb2ds
ZS5jb20ubXmCDWdvb2dsZS5jb2 0ubmGCDWdv b2dsZS5jb2 0ubmaCDWdv b2dsZS5j
b20ubmeCDWdvb2dsZS5jb20ubm mCDWdvb2ds ZS5jb20ubn CCDWdvb2ds ZS5jb20u
bnKCDWdvb2dsZS5jb20ub22CDW dvb2dsZS5j b20ucGGCDW dvb2dsZS5j b20ucGWC
DWdvb2dsZS5jb20ucGeCDWdvb2 dsZS5jb20u cGiCDWdvb2 dsZS5jb20u cGuCDWdv
b2dsZS5jb20ucGyCDWdvb2dsZS 5jb20ucHKC DWdvb2dsZS 5jb20ucHmC DWdvb2ds
ZS5jb20ucWGCDWdvb2dsZS5jb2 0ucnWCDWdv b2dsZS5jb2 0uc2GCDWdv b2dsZS5j
b20uc2KCDWdvb2dsZS5jb20uc2 eCDWdvb2ds ZS5jb20uc2 yCDWdvb2ds ZS5jb20u
c3aCDWdvb2dsZS5jb20udGqCDW dvb2dsZS5j b20udG6CDW dvb2dsZS5j b20udHKC
DWdvb2dsZS5jb20udHeCDWdvb2 dsZS5jb20u dWGCDWdvb2 dsZS5jb20u dXmCDWdv
b2dsZS5jb20udmOCDWdvb2dsZS 5jb20udmWC DWdvb2dsZS 5jb20udm6C CWdvb2ds
ZS5jdoIJZ29vZ2xlLmN6gglnb2 9nbGUuZGWC CWdvb2dsZS 5kaoIJZ29v Z2xlLmRr
gglnb29nbGUuZG2CCWdvb2dsZS 5keoIJZ29v Z2xlLmVlgg lnb29nbGUu ZXOCCmdv
b2dsZS5ldXOCCWdvb2dsZS5maY IJZ29vZ2xl LmZtgglnb2 9nbGUuZnKC Cmdvb2ds
ZS5mcmyCCWdvb2dsZS5nYYIKZ2 9vZ2xlLmdh bIIJZ29vZ2 xlLmdlggln b29nbGUu
Z2eCCWdvb2dsZS5nbIIJZ29vZ2 xlLmdtggln b29nbGUuZ3 CCCWdvb2ds ZS5ncoIJ
Z29vZ2xlLmd5gglnb29nbGUuaG uCCWdvb2ds ZS5oboIJZ2 9vZ2xlLmhy gglnb29n
bGUuaHSCCWdvb2dsZS5odYIJZ2 9vZ2xlLmll gglnb29nbG UuaW2CCWdv b2dsZS5p
boILZ29vZ2xlLmluZm+CCWdvb2 dsZS5pcYIJ Z29vZ2xlLm lygglnb29n bGUuaXOC
CWdvb2dsZS5pdIIMZ29vZ2xlLm l0LmFvggln b29nbGUuam WCCWdvb2ds ZS5qb4IL
Z29vZ2xlLmpvYnOCCWdvb2dsZS 5qcIIJZ29v Z2xlLmtngg lnb29nbGUu a2mCCWdv
b2dsZS5reoIJZ29vZ2xlLmxhgg lnb29nbGUu bGmCCWdvb2 dsZS5sa4IJ Z29vZ2xl
Lmx0gglnb29nbGUubHWCCWdvb2 dsZS5sdoIJ Z29vZ2xlLm 1kgglnb29n bGUubWWC
CWdvb2dsZS5tZ4IJZ29vZ2xlLm 1rgglnb29n bGUubWyCCW dvb2dsZS5t boIJZ29v
Z2xlLm1zgglnb29nbGUubXWCCW dvb2dsZS5t doIJZ29vZ2 xlLm13ggln b29nbGUu
bmWCDGdvb2dsZS5uZS5qcIIKZ2 9vZ2xlLm5l dIIJZ29vZ2 xlLm5nggln b29nbGUu
bmyCCWdvb2dsZS5ub4IJZ29vZ2 xlLm5yggln b29nbGUubn WCDWdvb2ds ZS5vZmYu
YWmCCWdvb2dsZS5wa4IJZ29vZ2 xlLnBsggln b29nbGUucG 6CCWdvb2ds ZS5wc4IJ
Z29vZ2xlLnB0gglnb29nbGUucm +CCWdvb2ds ZS5yc4IJZ2 9vZ2xlLnJ1 gglnb29n
bGUucneCCWdvb2dsZS5zY4IJZ2 9vZ2xlLnNl gglnb29nbG Uuc2iCCWdv b2dsZS5z
aYIJZ29vZ2xlLnNrgglnb29nbG Uuc22CCWdv b2dsZS5zbo IJZ29vZ2xl LnNvggln
b29nbGUuc3KCCWdvb2dsZS5zdI IJZ29vZ2xl LnRkggpnb2 9nbGUudGVs gglnb29n
bGUudGeCCWdvb2dsZS50a4IJZ2 9vZ2xlLnRs gglnb29nbG UudG2CCWdv b2dsZS50
boIJZ29vZ2xlLnRvgglnb29nbG UudHSCCWdv b2dsZS51YY IJZ29vZ2xl LnVzggln
b29nbGUudXqCCWdvb2dsZS52Z4 IJZ29vZ2xl LnZ1gglnb2 9nbGUud3OC Emdvb2ds
ZWNvbW1lcmNlLmNvbYILZ3N0YX RpYy5jb22C CnVyY2hpbi 5jb22CCnd3 dy5nb28u
Z2yCCHlvdXR1LmJlggt5b3V0dW JlLmNvbYIU eW91dHViZW VkdWNhdGlv bi5jb20w
aAYIKwYBBQUHAQEEXDBaMCsGCC sGAQUFBzAC hh9odHRwOi 8vcGtpLmdv b2dsZS5j
b20vR0lBRzIuY3J0MCsGCCsGAQ UFBzABhh9o dHRwOi8vY2 xpZW50czEu Z29vZ2xl
LmNvbS9vY3NwMB0GA1UdDgQWBB SphhyVpAks ALDLWyZVeb WsBUMUQDAM BgNVHRMB
Af8EAjAAMB8GA1UdIwQYMBaAFE rdBhYbvPZo tXb1gba7Yh q6WoEvMCEG A1UdIAQa
MBgwDAYKKwYBBAHWeQIFATAIBg ZngQwBAgIw MAYDVR0fBC kwJzAloCOg IYYfaHR0
cDovL3BraS5nb29nbGUuY29tL0 dJQUcyLmNy bDANBgkqhk iG9w0BAQsF AAOCAQEA
SV9bUhHH3s0Nb//cZIkX02UUV0 g4JaHNToF0 OowCwbyI5E 1CNfTslm+D 9JNFecRr
j+KgZ7osZutGQem4Nnj1ViP1Vc dVxN+6uCXV xRraAswTvy IQ0nsuZu02 ptGPMD5j
g/vvP7YYIFAkQMLdhCxfpkY4jF TnhW6uBjZo PVEMVcQ9Hu pKy5wrJP3+ 7QR7sQQI
QgaPbmBpztGyayqT/Qf7ABBmUK /ZVaiXvmMr Fr4/QET0ZH AXBspgwjxK eUUH3mOl
6eJRrzv4sJGN9y6Y0047I/gfQu x7eaOACdOn COXkJRlC6p AInNzZ5Jwa wNekvl11
3bZCaJ2MZ1bgPu3wIQ0wbw==
-----END CERTIFICATE-----
subject=/C=US/ST=Californi a/L=Mounta in View/O=Google Inc/CN=google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 10301 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 9808F335C451E449F655C77AB3 C5A9B6E0B4 91C9E0A2C4 2708D76B4E DED0ED47
Session-ID-ctx:
Master-Key: 224B42CC4E5BFE1FEC6169B7E2 A2B3B073B2 0BD2E3D7BD D82CC2B69E D6CFCCBC
99896ED725E240A172AE45EEB2 97058D
Key-Arg : None
Start Time: 1463068023
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
Over the Netscaler VPN
penSSL> s_client -host www.google.co.uk -port 443
Loading 'screen' into random state - done
connect: Bad file descriptor
connect:errno=10060
error in s_client
Thanks
Rich
Please see the results below of the OpenSSL Test you have asked us to run:
Internal LAN
OpenSSL> s_client -host www.google.co.uk -port 443
Loading 'screen' into random state - done
CONNECTED(00000168)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mo
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equif
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIgHDCCHwSgAwIBAgIIN7KozY
BhMCVVMxEzARBgNVBAoTCkdvb2
cm5ldCBBdXRob3JpdHkgRzIwHh
WjBkMQswCQYDVQQGEwJVUzETMB
TW91bnRhaW4gVmlldzETMBEGA1
Z2xlLmNvbTCCASIwDQYJKoZIhv
LBcmg8UXFIEnSNC/HW8UdX0A1P
sgJHL0qKVvMF9h7fhO6UUlf2hL
yad0fL3iS7y0atkiT1h6YNdqq1
6dsnTjH6kozz1+nrQooyUEwTNy
XXANjK0nM+WRs9xIyrvW3pGe5I
sijYat7zAW0CAwEAAaOCHOswgh
BQcDAjCCG7cGA1UdEQSCG64wgh
LmFuZHJvaWQuY29tghYqLmFwcG
ZWNsaWNrLm5ldIILKi5jYy1kdC
ZS5kb3VibGVjbGljay5uZXSCES
aWNrLm5ldIIVKi5mbHMuZG91Ym
Lm5ldIIWKi5nb29nbGUtYW5hbH
Z2xlLmFkggsqLmdvb2dsZS5hZY
Lmdvb2dsZS5hbIILKi5nb29nbG
dIILKi5nb29nbGUuYXqCCyouZ2
bGUuYmaCCyouZ29vZ2xlLmJngg
Z29vZ2xlLmJzggsqLmdvb2dsZS
ggwqLmdvb2dsZS5jYXSCCyouZ2
bGUuY2aCCyouZ29vZ2xlLmNngg
Z29vZ2xlLmNsggsqLmdvb2dsZS
LmFvgg4qLmdvb2dsZS5jby5id4
LmNygg4qLmdvb2dsZS5jby5odY
Lmlsgg4qLmdvb2dsZS5jby5pbY
Lmplgg4qLmdvb2dsZS5jby5qcI
Lmtygg4qLmdvb2dsZS5jby5sc4
Lm16gg4qLmdvb2dsZS5jby5ueo
LnR6gg4qLmdvb2dsZS5jby51Z4
LnV6gg4qLmdvb2dsZS5jby52ZY
Lnphgg4qLmdvb2dsZS5jby56bY
bYIPKi5nb29nbGUuY29tLmFmgg
bS5haYIPKi5nb29nbGUuY29tLm
LmNvbS5iZIIPKi5nb29nbGUuY2
Z2xlLmNvbS5ib4IPKi5nb29nbG
Z29vZ2xlLmNvbS5ieoIPKi5nb2
DyouZ29vZ2xlLmNvbS5jdYIPKi
ZG+CDyouZ29vZ2xlLmNvbS5lY4
b20uZXSCDyouZ29vZ2xlLmNvbS
ZS5jb20uZ2iCDyouZ29vZ2xlLm
b2dsZS5jb20uZ3SCDyouZ29vZ2
Lmdvb2dsZS5jb20uam2CDyouZ2
gg8qLmdvb2dsZS5jb20ua3eCDy
Lmx5gg8qLmdvb2dsZS5jb20ubW
Y29tLm14gg8qLmdvb2dsZS5jb2
bGUuY29tLm5mgg8qLmdvb2dsZS
b29nbGUuY29tLm5wgg8qLmdvb2
Ki5nb29nbGUuY29tLnBhgg8qLm
Z4IPKi5nb29nbGUuY29tLnBogg
bS5wbIIPKi5nb29nbGUuY29tLn
LmNvbS5xYYIPKi5nb29nbGUuY2
Z2xlLmNvbS5zYoIPKi5nb29nbG
Z29vZ2xlLmNvbS5zdoIPKi5nb2
DyouZ29vZ2xlLmNvbS50coIPKi
dWGCDyouZ29vZ2xlLmNvbS51eY
b20udmWCDyouZ29vZ2xlLmNvbS
ggsqLmdvb2dsZS5kZYILKi5nb2
ZS5kbYILKi5nb29nbGUuZHqCCy
b29nbGUuZXVzggsqLmdvb2dsZS
ggwqLmdvb2dsZS5mcmyCCyouZ2
Z2xlLmdlggsqLmdvb2dsZS5nZ4
Lmdvb2dsZS5ncIILKi5nb29nbG
a4ILKi5nb29nbGUuaG6CCyouZ2
bGUuaHWCCyouZ29vZ2xlLmllgg
Z29vZ2xlLmluZm+CCyouZ29vZ2
aXOCCyouZ29vZ2xlLml0gg4qLm
Z29vZ2xlLmpvgg0qLmdvb2dsZS
a2eCCyouZ29vZ2xlLmtpggsqLm
Z2xlLmxpggsqLmdvb2dsZS5sa4
Lmdvb2dsZS5sdoILKi5nb29nbG
Z4ILKi5nb29nbGUubWuCCyouZ2
bGUubXOCCyouZ29vZ2xlLm11gg
Z29vZ2xlLm5lgg4qLmdvb2dsZS
ZS5uZ4ILKi5nb29nbGUubmyCCy
b29nbGUubnWCDyouZ29vZ2xlLm
LnBsggsqLmdvb2dsZS5wboILKi
b2dsZS5yb4ILKi5nb29nbGUucn
Ki5nb29nbGUuc2OCCyouZ29vZ2
c2mCCyouZ29vZ2xlLnNrggsqLm
Z2xlLnNvggsqLmdvb2dsZS5zco
Lmdvb2dsZS50ZWyCCyouZ29vZ2
dGyCCyouZ29vZ2xlLnRtggsqLm
Z2xlLnR0ggsqLmdvb2dsZS51YY
Lmdvb2dsZS52Z4ILKi5nb29nbG
YXBpcy5jb22CFSouZ29vZ2xlYW
ghQqLmdvb2dsZWNvbW1lcmNlLm
Ki5nb29nbGV2aWRlby5jb22CDC
Ki5ndnQxLmNvbYIKKi5ndnQyLm
bWV0cmljLmdzdGF0aWMuY29tgh
aW4uY29tghAqLnVybC5nb29nbG
gg0qLnlvdXR1YmUuY29tghYqLn
LmNvbYIVYWQubW8uZG91YmxlY2
Z2xlLmNvbYILYW5kcm9pZC5jb2
LmdsghRnb29nbGUtYW5hbHl0aW
CWdvb2dsZS5hZYIJZ29vZ2xlLm
Z2xlLmFtgglnb29nbGUuYXOCCW
YmGCCWdvb2dsZS5iZYIJZ29vZ2
Z29vZ2xlLmJqgglnb29nbGUuYn
bGUuY2GCCmdvb2dsZS5jYXSCCW
Y2aCCWdvb2dsZS5jZ4IJZ29vZ2
Z29vZ2xlLmNtgglnb29nbGUuY2
ggxnb29nbGUuY28uY2uCDGdvb2
bGUuY28uaWSCDGdvb2dsZS5jby
aW6CDGdvb2dsZS5jby5qZYIMZ2
b2dsZS5jby5rcoIMZ29vZ2xlLm
by5teoIMZ29vZ2xlLmNvLm56gg
Z29vZ2xlLmNvLnVnggxnb29nbG
LmNvLnZlggxnb29nbGUuY28udm
ggxnb29nbGUuY28ueneCDWdvb2
b2dsZS5jb20uYWmCDWdvb2dsZS
ZS5jb20uYmSCDWdvb2dsZS5jb2
b20uYm+CDWdvb2dsZS5jb20uYn
YnqCDWdvb2dsZS5jb20uY26CDW
DWdvb2dsZS5jb20uY3mCDWdvb2
b2dsZS5jb20uZWeCDWdvb2dsZS
ZS5jb20uZ2WCDWdvb2dsZS5jb2
b20uZ3KCDWdvb2dsZS5jb20uZ3
aXGCDWdvb2dsZS5jb20uam2CDW
DWdvb2dsZS5jb20ua3eCDWdvb2
b2dsZS5jb20ubW2CDWdvb2dsZS
ZS5jb20ubXmCDWdvb2dsZS5jb2
b20ubmeCDWdvb2dsZS5jb20ubm
bnKCDWdvb2dsZS5jb20ub22CDW
DWdvb2dsZS5jb20ucGeCDWdvb2
b2dsZS5jb20ucGyCDWdvb2dsZS
ZS5jb20ucWGCDWdvb2dsZS5jb2
b20uc2KCDWdvb2dsZS5jb20uc2
c3aCDWdvb2dsZS5jb20udGqCDW
DWdvb2dsZS5jb20udHeCDWdvb2
b2dsZS5jb20udmOCDWdvb2dsZS
ZS5jdoIJZ29vZ2xlLmN6gglnb2
gglnb29nbGUuZG2CCWdvb2dsZS
b2dsZS5ldXOCCWdvb2dsZS5maY
ZS5mcmyCCWdvb2dsZS5nYYIKZ2
Z2eCCWdvb2dsZS5nbIIJZ29vZ2
Z29vZ2xlLmd5gglnb29nbGUuaG
bGUuaHSCCWdvb2dsZS5odYIJZ2
boILZ29vZ2xlLmluZm+CCWdvb2
CWdvb2dsZS5pdIIMZ29vZ2xlLm
Z29vZ2xlLmpvYnOCCWdvb2dsZS
b2dsZS5reoIJZ29vZ2xlLmxhgg
Lmx0gglnb29nbGUubHWCCWdvb2
CWdvb2dsZS5tZ4IJZ29vZ2xlLm
Z2xlLm1zgglnb29nbGUubXWCCW
bmWCDGdvb2dsZS5uZS5qcIIKZ2
bmyCCWdvb2dsZS5ub4IJZ29vZ2
YWmCCWdvb2dsZS5wa4IJZ29vZ2
Z29vZ2xlLnB0gglnb29nbGUucm
bGUucneCCWdvb2dsZS5zY4IJZ2
aYIJZ29vZ2xlLnNrgglnb29nbG
b29nbGUuc3KCCWdvb2dsZS5zdI
bGUudGeCCWdvb2dsZS50a4IJZ2
boIJZ29vZ2xlLnRvgglnb29nbG
b29nbGUudXqCCWdvb2dsZS52Z4
ZWNvbW1lcmNlLmNvbYILZ3N0YX
Z2yCCHlvdXR1LmJlggt5b3V0dW
aAYIKwYBBQUHAQEEXDBaMCsGCC
b20vR0lBRzIuY3J0MCsGCCsGAQ
LmNvbS9vY3NwMB0GA1UdDgQWBB
Af8EAjAAMB8GA1UdIwQYMBaAFE
MBgwDAYKKwYBBAHWeQIFATAIBg
cDovL3BraS5nb29nbGUuY29tL0
SV9bUhHH3s0Nb//cZIkX02UUV0
j+KgZ7osZutGQem4Nnj1ViP1Vc
g/vvP7YYIFAkQMLdhCxfpkY4jF
QgaPbmBpztGyayqT/Qf7ABBmUK
6eJRrzv4sJGN9y6Y0047I/gfQu
3bZCaJ2MZ1bgPu3wIQ0wbw==
-----END CERTIFICATE-----
subject=/C=US/ST=Californi
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 10301 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 9808F335C451E449F655C77AB3
Session-ID-ctx:
Master-Key: 224B42CC4E5BFE1FEC6169B7E2
99896ED725E240A172AE45EEB2
Key-Arg : None
Start Time: 1463068023
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
Over the Netscaler VPN
penSSL> s_client -host www.google.co.uk -port 443
Loading 'screen' into random state - done
connect: Bad file descriptor
connect:errno=10060
error in s_client
Thanks
Rich
I am not sure wheter openssl "detects" the proxy and adjusts or fails..
One option is to try proxytunnel http://proxytunnel.sourceforge.net/intro.php to see whether it
One option is to try proxytunnel http://proxytunnel.sourceforge.net/intro.php to see whether it
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks for updating
ASKER
Solution was found internally, however sharing on here for other users.
i.e. presumably the same business requirement requires the configuration on port 80 that causes your issue.
You are mixing two distinct technologies into the same channel.