Following an upgrade to SWG 5.1.1 users can no longer access sites through the SWG proxy.  The SWG will successfuly respond with the block page for sites that are blocked however.

Clients will not receive an error message from the SWG but may receive a timeout error from the browser.

SWG 5.1.1 changed the behavior of the "X-Forwarded-for" HTTP header.  In previous versions the "X-Forwarded-for" header would contain the IP of the proxied client.  In 5.1.1 this value has been changed to "unknown".  This may cause an issue with some Intrusion Prevention Systems (IPS).  For example you may see a rule triggered on the IPS with information such as "HTTP Server X-Forwarded-For Denial-of-Service" with a source IP of the SWG.

The default Forwarded-For setting has been changed to "delete" in SWG 5.2. This deletes the entire X-Forwarded-For header which resolves this problem. SWG 5.2 will be generally available from late January 2014.

Applies To

SWG in proxy or inline+proxy mode.