"Request could not be handled" exception page when attempting to download "wpad.dat" from the SG

book

Article ID: 166864

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Upgrading to SGOS 5.5 or higher breaks PAC/WPAD functionality
Policy trace while requesting "/wpad.dat" shows the SG returning '400 Bad Request'

Resolution

ProxySG administrators wishing to enable support for returning the ProxySG's accelerated_pac_base.pac file when a request is received by the ProxySG for a URL with the exact path of /wpad.dat traditionally used a "policy redirect" that caused the ProxySG to return a redirect pointing back to the ProxySG for /accelerated_pac_base.pac.

This worked well, unless there was a reference in policy that required a response from an "upstream" server such as a scan decision from ProxyAV.  If Threat-Protection/Malware-Scanning is enabled within the Management
Console GUI, it is likely any policy involving redirects for objects to be served directly from the ProxySG, would begin to return a "Request could not be handled" exception page.

As of SGOS 5.5.7.1, a new policy gesture has been added to resolve the "Request could not be handled" exception.

The following is an example of the typical policy that is known to cause a "Request could not be handled" exception when other policy (such as ICAP scanning) is also involved:

<Proxy>
    ALLOW url.path.exact=/wpad.dat action.ReturnRedirect1(yes)

define action ReturnRedirect1
  redirect( 302, ".*", "
http://proxy.company.com/accelerated_pac_base.pac" )
end

The new policy gesture introduced in SGOS 5.5.7.1 is:  request_redirect


The policy above can be re-written as:

<Proxy>
    ALLOW url.path.exact=/wpad.dat action.ReturnRedirect1(yes)

define action ReturnRedirect1
  request_redirect( 302, ".*", "
http://proxy.company.com/accelerated_pac_base.pac" )
end

Use of the "request_redirect" gesture will prevent the "Request could not be handled" exception when a redirect is necessary in combination with policy that requires a response from an "upstream" server.


Notes:

  • The request_redirect policy gesture is not yet available as a VPM object.
  • This KB article supersedes FAQ410, and KB4197.
  • The request_redirect gesture should only be used for objects returned from the ProxySG itself, such as accelerated_pac_base.pac, and does not apply for redirects for objects from an OCS (Origin Content Server).   Continue to use redirect  for redirects to an OCS, and the new gesture request_redirect when the content is to be served only from the ProxySG.