Problems accessing www.campusship.ups.com when going through the ProxySG.

book

Article ID: 166780

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

When going to www.campusship.ups.com through the ProxySG the page may not load or is slow to respond.
The proxy is configured in a transparent deployment.
Problem does not happen when the web browser is configured in an explicit manner.

 

Resolution

The cause of the problem is that there is no PTR record for reverse DNS lookup of www.campusship.ups.com.  Please see the additional details section below for full details.

To resolve the problem, do not perform reverse DNS lookups for the www.campusship.ups.com IP addresses.  Please do the following:

1.)  Go to the Management Console (https://<ip.address.of.proxysg>:8082) on the ProxySG
2.)  Go to the Configuration tab > Policy > Visual Policy Manager > Launch
3.)  Click on Configuration from the menu bar
4.)  Select Set Reverse DNS Lookup Restriction
5.)  With the Listed Subnet radio button enabled in the top section, click the Add button
6.)  In the dialog box enter the IP address 153.2.224.60 and subnet mask of 255.255.255.255
7.)  Click Add button
8.)  Enter IP address 153.2.228.60 and subnet mask 255.255.255.255 
9.)  Click OK
10.)  Click Install Policy and OK
 
NOTE: The above IP addresses were associated with www.campusship.ups.com at the time this article was written (11DEC2009), but may have changed. To be sure you are entering the valid IP addresses, please perform an "nslookup" on the hostname to verify.
 
For those that are using Threatpulse (Blue Coat Cloud), please see 000014160.

ADDITIONAL INFORMATION:

When the ProxySG is configured to allow or deny access to URL's, it must determine the hostname of the site being requested. When it is an HTTP site, the proxy simply observes the HTTP request headers to determine the host. However, since www.campusship.ups.com redirects to an HTTPS URL, the communication will be encrypted via SSL. Since the communication is encrypted, the proxy is unable to observe the HTTP headers until the SSL traffic is intercepted/decrypted (if configured). However, this does not happen until after the initial policy evaluation. So when hostname/URL policy is present, the proxy must resort to alternative methods for determining the hostname of the destination upon policy evaluation. One method is to perform a reverse DNS lookup on the destination IP address provided by client. Since Reverse DNS queries for www.campusship.ups.com fail with no response, this will result in a timeout when the proxy is performing a lookup.

This issue only applies to transparent proxy configurations. In an explicit proxy configuration even after being redirected to HTTPS, the client sends the proxy an HTTP CONNECT request for establishing the SSL connection. This request provides the hostname of the server, thus the proxy does not need to perform a reverse DNS lookup.

Also, please note that www.campusship.ups.com is only used as an example since this issue is frequently reported with this site. However, keep in mind that this same problem can happen with any SSL site that has a hostname with no PTR record and there is hostname based policy present on the ProxySG.