How does ProxySG evaluate Proxy-services on two intercept services with the same port
search cancel

How does ProxySG evaluate Proxy-services on two intercept services with the same port

book

Article ID: 165938

calendar_today

Updated On:

Products

Mobility Threat Protection Asset Management Solution ProxySG Software - SGOS

Issue/Introduction

- Assuming below is the reverse proxy setup:

Proxy-Services:

1. Explicit HTTP - Intercept - Explicit - port 8080 and port 80 (HTTP)
2. HTTPS - Bypass - All - port 443 (SSL)
3. WebServer001 VIP - Intercept IP host 10.20.20.55/32 on port 80
4. WebServer002 VIP - Intercept IP range 10.20.20.32/29 on port 80
5. WebServer003 VIP - Intercept IP range 10.20.20.80/29 on port 443

 

Forwarding Host; 

1. WebServer001: 10.10.10.10 HTTP port 80
2. WebServer002: 10.10.10.11 HTTP port 80
3. WebServer003: 10.10.10.12 SSL port 443

 

CPL/VPM: Forwarding Layer:

1. Source: Any ;; Destination: 10.20.20.55/32 ;; forward traffic to WebServer001
2. Source: Any ;; Destination: 10.20.20.32/29 ;; forward traffic to WebServer002
3. Source: Any ;; Destination: 10.20.20.80/29 ;; forward traffic to WebServer003

With above example, SGOS will evaluate in the following sequence if there's same Port in two different Intercept Services in 3 difference scenario as below:

 

Client traffic request to "WebServer001 VIP"

1. WebServer001 VIP - Intercept IP host 10.20.20.55/32 on port 80                        <<<<<< Evaluated and match
2. Explicit HTTP - Intercept - Explicit - port 8080 and port 80 (HTTP)                       <<<<<< will not be evaluated as it has matched the item 1

ProxySg will 1st evaluate "WebServer001 VIP - Intercept IP host 10.20.20.55/32 on port 80" services as it is set as IP Host "smallest in the IP address hierarchy".

 

Client traffic request to "WebServer002 VIP"

1. Explicit HTTP - Intercept - Explict - port 8080 and port 80 (HTTP)                        <<<<<< Evaluated and match
2. WebServer002 VIP - Intercept IP range 10.20.20.32/29 on port 80                     <<<<<< will not be evaluated as it has matched the item 1

The reason why Explicit HTTP services are matched is because Client traffic directed to "WebServer001 VIP" are considered as Explicit traffic to ProxySG.
noted: if Explicit port 80 are bypass, the access to WebServer001 OCS will fail.

 

Client traffic request to "WebServer003 VIP"

1. HTTPS - Bypass - All - port 443 (SSL)                         <<<<<< Evaluated and match
2. WebServer003 VIP - Intercept IP range 10.20.20.80/29 on port 443                     <<<<<< will not be evaluated as it has matched the item 1

The reason why HTTPS services are matched is because Client traffic directed to "WebServer001 VIP" are considered as Explicit traffic to ProxySG. 
Since HTTPS services are Intercepting "ALL" hence it is including "Explicit" traffic.
noted: if HTTPS are bypass, the access to WebServer003 OCS will fail.

 

Resolution

1. Accessing to "WebServer002 VIP", which services intercept IP range on port 80(HTTP), delete/remove the "Explicit HTTP - port 80".
 
2. Accessing to "WebServer003 VIP", which services intercept IP range on port 443(SSL), 
    a. delete/remove HTTPS Services
    b. modify/change HTTPS Services from Intercept "ALL" to Intercept Transparent
 

 

Powered by Wolken Software