Users get connection errors when launching a Java applet from websites with specific applications. This happens with HTTPS traffic in explicit proxy deployments.
If you run a packet capture on the ProxySG appliance, you observe that part of the application is loading processes after logging in and opens a connection, as in the following example (where the destination IP address is 199.242.6.7):
Proxy IP: 10.9.59.221
No. Time Source Destination Protocol Length Info
1786 23.403496 10.9.59.221 199.242.6.7 TCP 62 xyz > https [SYN] Seq=3008869579 Win=65535 Len=0 MSS=1460 SACK_PERM=1
1787 23.403659 199.242.6.7 10.9.59.221 TCP 62 https > xyz [SYN, ACK] Seq=3537169394 Ack=3008869580 Win=65535 Len=0 MSS=1460 SACK_PERM=1
1788 23.403793 10.9.59.221 199.242.6.7 TCP 60 xyz > https [ACK] Seq=3008869580 Ack=3537169395 Win=65535 Len=0
1793 23.405431 10.9.59.221 199.242.6.7 SSL 134 Continuation Data
Frame 1793: 134 bytes on wire (1072 bits), 134 bytes captured (1072 bits), Internet Protocol Version 4, Src: 10.9.59.221 (10.9.59.221), Dst: 199.242.6.7 (199.242.6.7) Transmission Control Protocol, Src Port: XYZ (2269), Dst Port: https (443), Seq: 3008869580, Ack: 3537169395, Len: 80 Secure Sockets Layer
0000 b4 14 89 60 05 c0 00 18 8b e6 d6 10 08 00 45 00 ...`..........E.
0010 00 78 26 d4 40 00 80 06 bf cc 0a 09 3b dd c7 f2 .x&[email protected];...
0020 06 07 08 dd 01 bb b3 57 b4 cc d2 d4 eb f3 50 18 .......W......P.
0030 ff ff 05 d7 00 00 43 4f 4e 4e 45 43 54 20 6b 65 ......CONNECT ke
0040 79 6d 61 73 74 65 72 2e 62 65 6e 2e 62 6c 61 63 ymaster.ben.blac
0050 6b 72 6f 63 6b 2e 63 6f 6d 3a 35 30 30 30 20 48 krock.com:5000 H
0060 54 54 50 2f 31 2e 30 0d 0a 55 73 65 72 2d 41 67 TTP/1.0..User-Ag
0070 65 6e 74 3a 20 4a 61 76 61 2f 31 2e 37 2e 30 5f ent: Java/1.7.0_
0080 35 35 0d 0a 0d 0a 55....
No. Time Source Destination Protocol Length Info
1794 23.405788 199.242.6.7 10.9.59.221 TCP 60 https > XYZ [RST, ACK] Seq=3537169395 Ack=3008869660 Win=65535 Len=0
The previous example shows that the application is opening an SSL connection but then sends an HTTP CONNECT request over it. When the proxy's port 443 service uses SSL proxy it resets the connection because the CONNECT request is an SSL protocol violation. If you change the SSL service to TCP-Tunnel the application loads correctly.
Create a TCP tunnel service for the destination IP.
#(config proxy-services)create tcp-tunnel "ABC-TCP-Tunnel"
#(config proxy-services)edit "ABC-TCP-Tunnel" ;mode
#(config ABC-TCP-Tunnel)add all 199.242.6.7/32 443 intercept
#(config ABC-TCP-Tunnel)exit
Note: If the IP changes you might have to change the service. The long-term fix would be for the application owner to fix their application.