Users get connection errors when launching a Java applet from websites with specific applications

book

Article ID: 167074

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Users get connection errors when launching a Java applet from websites with specific applications. This happens with HTTPS traffic in explicit proxy deployments.

If you run a packet capture on the ProxySG appliance, you observe that part of the application is loading processes after logging in and opens a connection, as in the following example (where the destination IP address is 199.242.6.7):
 
Proxy IP: 10.9.59.221
 
No.     Time        Source                Destination           Protocol  Length  Info
 
1786    23.403496   10.9.59.221           199.242.6.7           TCP       62      xyz > https [SYN] Seq=3008869579 Win=65535 Len=0 MSS=1460 SACK_PERM=1
 
1787    23.403659   199.242.6.7           10.9.59.221           TCP       62      https > xyz [SYN, ACK] Seq=3537169394 Ack=3008869580 Win=65535 Len=0 MSS=1460 SACK_PERM=1
 
 
1788    23.403793   10.9.59.221           199.242.6.7           TCP       60      xyz > https [ACK] Seq=3008869580 Ack=3537169395 Win=65535 Len=0
 
 
1793    23.405431   10.9.59.221           199.242.6.7           SSL       134     Continuation Data    
 
 
Frame 1793: 134 bytes on wire (1072 bits), 134 bytes captured (1072 bits), Internet Protocol Version 4, Src: 10.9.59.221 (10.9.59.221), Dst:  199.242.6.7 (199.242.6.7) Transmission Control Protocol, Src Port: XYZ (2269), Dst Port: https (443), Seq: 3008869580, Ack: 3537169395, Len: 80 Secure Sockets Layer
 
 
0000  b4 14 89 60 05 c0 00 18 8b e6 d6 10 08 00 45 00   ...`..........E.
 
0010  00 78 26 d4 40 00 80 06 bf cc 0a 09 3b dd c7 f2    .x&[email protected];...
 
0020  06 07 08 dd 01 bb b3 57 b4 cc d2 d4 eb f3 50 18   .......W......P.
 
0030  ff ff 05 d7 00 00 43 4f 4e 4e 45 43 54 20 6b 65   ......CONNECT ke
 
0040  79 6d 61 73 74 65 72 2e 62 65 6e 2e 62 6c 61 63   ymaster.ben.blac
 
0050  6b 72 6f 63 6b 2e 63 6f 6d 3a 35 30 30 30 20 48   krock.com:5000 H
 
0060  54 54 50 2f 31 2e 30 0d 0a 55 73 65 72 2d 41 67   TTP/1.0..User-Ag
 
0070  65 6e 74 3a 20 4a 61 76 61 2f 31 2e 37 2e 30 5f   ent: Java/1.7.0_
 
0080  35 35 0d 0a 0d 0a                                 55....
 
 
No.     Time        Source                Destination           Protocol  Length  Info
 
1794    23.405788   199.242.6.7           10.9.59.221           TCP       60      https > XYZ [RST, ACK] Seq=3537169395 Ack=3008869660 Win=65535 Len=0
 
The previous example shows that the application is opening an SSL connection but then sends an HTTP CONNECT request over it.  When the proxy's port 443 service uses SSL proxy it resets the connection because the CONNECT request is an SSL protocol violation. If you change the SSL service to TCP-Tunnel the application loads correctly.

Resolution

Create a TCP tunnel service for the destination IP.  

  1. Log in to the appliance's command line interface.
  2. Create the following service: 

    #(config proxy-services)create tcp-tunnel "ABC-TCP-Tunnel"   
    #(config proxy-services)edit "ABC-TCP-Tunnel" ;mode   
    #(config ABC-TCP-Tunnel)add all 199.242.6.7/32 443 intercept   
    #(config ABC-TCP-Tunnel)exit       
     
    With the previous service and the SSL service set to SSL proxy, the application loads correctly.

Note: If the IP changes you might have to change the service. The long-term fix would be for the application owner to fix their application.

Powered by Wolken Software