Problems accessing when going through the ProxySG.
search cancel

Problems accessing when going through the ProxySG.


Article ID: 166780


Updated On:


ProxySG Software - SGOS


When going to through the ProxySG the page may not load or is slow to respond.
The proxy is configured in a transparent deployment.
Problem does not happen when the web browser is configured in an explicit manner.



The cause of the problem is that there is no PTR record for reverse DNS lookup of  Please see the additional details section below for full details.

To resolve the problem, do not perform reverse DNS lookups for the IP addresses.  Please do the following:

1.)  Go to the Management Console (https://<ip.address.of.proxysg>:8082) on the ProxySG
2.)  Go to the Configuration tab > Policy > Visual Policy Manager > Launch
3.)  Click on Configuration from the menu bar
4.)  Select Set Reverse DNS Lookup Restriction
5.)  With the Listed Subnet radio button enabled in the top section, click the Add button
6.)  In the dialog box enter the IP address and subnet mask of
7.)  Click Add button
8.)  Enter IP address and subnet mask 
9.)  Click OK
10.)  Click Install Policy and OK
NOTE: The above IP addresses were associated with at the time this article was written (11DEC2009), but may have changed. To be sure you are entering the valid IP addresses, please perform an "nslookup" on the hostname to verify.
For those that are using Threatpulse (Blue Coat Cloud), please see 000014160.


When the ProxySG is configured to allow or deny access to URL's, it must determine the hostname of the site being requested. When it is an HTTP site, the proxy simply observes the HTTP request headers to determine the host. However, since redirects to an HTTPS URL, the communication will be encrypted via SSL. Since the communication is encrypted, the proxy is unable to observe the HTTP headers until the SSL traffic is intercepted/decrypted (if configured). However, this does not happen until after the initial policy evaluation. So when hostname/URL policy is present, the proxy must resort to alternative methods for determining the hostname of the destination upon policy evaluation. One method is to perform a reverse DNS lookup on the destination IP address provided by client. Since Reverse DNS queries for fail with no response, this will result in a timeout when the proxy is performing a lookup.

This issue only applies to transparent proxy configurations. In an explicit proxy configuration even after being redirected to HTTPS, the client sends the proxy an HTTP CONNECT request for establishing the SSL connection. This request provides the hostname of the server, thus the proxy does not need to perform a reverse DNS lookup.

Also, please note that is only used as an example since this issue is frequently reported with this site. However, keep in mind that this same problem can happen with any SSL site that has a hostname with no PTR record and there is hostname based policy present on the ProxySG.