No access though SWG proxy following upgrade to 5.1.1.

book

Article ID: 158479

calendar_today

Updated On:

Products

Web Gateway

Issue/Introduction

Following an upgrade to SWG 5.1.1 users can no longer access sites through the SWG proxy.  The SWG will successfuly respond with the block page for sites that are blocked however.

Clients will not receive an error message from the SWG but may receive a timeout error from the browser.

Cause

SWG 5.1.1 changed the behavior of the "X-Forwarded-for" HTTP header.  In previous versions the "X-Forwarded-for" header would contain the IP of the proxied client.  In 5.1.1 this value has been changed to "unknown".  This may cause an issue with some Intrusion Prevention Systems (IPS).  For example you may see a rule triggered on the IPS with information such as "HTTP Server X-Forwarded-For Denial-of-Service" with a source IP of the SWG.

Resolution

The default Forwarded-For setting has been changed to "delete" in SWG 5.2. This deletes the entire X-Forwarded-For header which resolves this problem. SWG 5.2 will be generally available from late January 2014.


Applies To

SWG in proxy or inline+proxy mode.