Unable to play Flash video behind HTTP Proxy. Works fine with Microsoft ISA Server

book

Article ID: 167045

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Unable to play Flash video behind HTTP Proxy. Works fine with Microsoft ISA Server.

Packet captures from Microsoft ISA Server shows :

No.     Time     Source                Destination           SrcPort DstPort Protocol Info
   2244 18.886   10.10.10.191          10.10.10.10          2685    8080    HTTP     CONNECT c-3cafa6e9203506f43a60d65feaf99f43.a-asiahkbn.i-768e5108.rtmp.atlas.cdn.yimg.com:1935 HTTP/1.0
   2250 18.887   10.10.10.191          10.10.10.10          2686    8080    HTTP     CONNECT c-3cafa6e9203506f43a60d65feaf99f43.a-asiahkbn.i-768e5108.rtmp.atlas.cdn.yimg.com:443 HTTP/1.0
   2251 18.889   10.10.10.10           10.10.10.191         8080    2685    HTTP     HTTP/1.1 502 Proxy Error ( The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests.  )  (text/html)
   2256 18.892   10.10.10.191          10.10.10.10          2687    8080    HTTP     CONNECT c-3cafa6e9203506f43a60d65feaf99f43.a-asiahkbn.i-768e5108.rtmp.atlas.cdn.yimg.com:80 HTTP/1.0
   2257 18.894   10.10.10.10           10.10.10.191         8080    2687    HTTP     HTTP/1.1 502 Proxy Error ( The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests.  )  (text/html)
   2262 18.897   10.10.10.191          10.10.10.10          2688    8080    HTTP     POST http://c-3cafa6e9203506f43a60d65feaf99f43.a-asiahkbn.i-768e5108.rtmp.atlas.cdn.yimg.com:1935/fcs/ident2 HTTP/1.1  (application/x-fcs)
   2269 18.931   10.10.10.10           10.10.10.191         8080    2688    HTTP     HTTP/1.1 200 OK  (text/plain)
   2270 18.931   10.10.10.191          10.10.10.10          2688    8080    HTTP     POST http://c-3cafa6e9203506f43a60d65feaf99f43.a-asiahkbn.i-768e5108.rtmp.atlas.cdn.yimg.com:443/fcs/ident2 HTTP/1.1  (application/x-fcs)
   2290 22.006   10.10.10.10           10.10.10.191         8080    2688    HTTP     HTTP/1.1 502 Proxy Error ( Connection refused )  (text/html)
   2312 22.224   10.10.10.10           10.10.10.191         8080    2686    HTTP     HTTP/1.1 502 Proxy Error ( Connection refused )  (text/html)

 

Packet capture from SG shows :

No.     Time     Source                Destination           SrcPort DstPort Protocol Info
   1648 32.731   10.10.10.191          10.10.10.10            2609    8080    HTTP     CONNECT c-625055320812415e04b1b597beed3aa2.a-asiahkbn.i-dfffa70a.rtmp.atlas.cdn.yimg.com:1935 HTTP/1.0
   1651 32.774   10.10.10.10           10.10.10.191           8080    2609    HTTP     HTTP/1.1 200 Connection established
   1662 32.882   10.10.10.191          10.10.10.10            2610    8080    HTTP     CONNECT c-625055320812415e04b1b597beed3aa2.a-asiahkbn.i-dfffa70a.rtmp.atlas.cdn.yimg.com:443 HTTP/1.0
   1663 32.884   10.10.10.10           10.10.10.191           8080    2610    HTTP     HTTP/1.1 200 Connection established
   1672 33.902   10.10.10.191          10.10.10.10            2611    8080    HTTP     CONNECT c-625055320812415e04b1b597beed3aa2.a-asiahkbn.i-dfffa70a.rtmp.atlas.cdn.yimg.com:80 HTTP/1.0
   1673 33.904   10.10.10.10           10.10.10.191           8080    2611    HTTP     HTTP/1.1 200 Connection established

Resolution

Install the following Content Policy Language into the Local/Central Policy to have SG deny invalid HTTP requests from Adobe Flash clients

<Proxy>
    url.port=!443 http.method=CONNECT request.header.user-agent=Flash force_deny
    url.port=443 http.method=!CONNECT request.header.user-agent=Flash force_deny