When going to www.campusship.ups.com through the ProxySG the page may not load or is slow to respond.
The proxy is configured in a transparent deployment.
Problem does not happen when the web browser is configured in an explicit manner.
The cause of the problem is that there is no PTR record for reverse DNS lookup of www.campusship.ups.com. Please see the additional details section below for full details.
To resolve the problem, do not perform reverse DNS lookups for the www.campusship.ups.com IP addresses. Please do the following:
When the ProxySG is configured to allow or deny access to URL's, it must determine the hostname of the site being requested. When it is an HTTP site, the proxy simply observes the HTTP request headers to determine the host. However, since www.campusship.ups.com redirects to an HTTPS URL, the communication will be encrypted via SSL. Since the communication is encrypted, the proxy is unable to observe the HTTP headers until the SSL traffic is intercepted/decrypted (if configured). However, this does not happen until after the initial policy evaluation. So when hostname/URL policy is present, the proxy must resort to alternative methods for determining the hostname of the destination upon policy evaluation. One method is to perform a reverse DNS lookup on the destination IP address provided by client. Since Reverse DNS queries for www.campusship.ups.com fail with no response, this will result in a timeout when the proxy is performing a lookup.
This issue only applies to transparent proxy configurations. In an explicit proxy configuration even after being redirected to HTTPS, the client sends the proxy an HTTP CONNECT request for establishing the SSL connection. This request provides the hostname of the server, thus the proxy does not need to perform a reverse DNS lookup.
Also, please note that www.campusship.ups.com is only used as an example since this issue is frequently reported with this site. However, keep in mind that this same problem can happen with any SSL site that has a hostname with no PTR record and there is hostname based policy present on the ProxySG.