In some cases, when a user accesses a Web server (OCS) using SSL via the proxy, the user is logged out of the server almost immediately after logging in. The message on screen reads ""You have logged out from your session, log in again to continue. "
The ability to access non-secure content (or HTTP access) is not hindered.
There are couple reasons that cause the the HTTPS access to fail:
1. The proxy has multiple (more than 1) default gateways(GW).
2. The proxy has multiple (more than 1) default gateways(GW). All the GWs are in the same group and have the same weight to allow for failover and load balancing. In such a case the proxy does load balancing with round robin method, and the request may goes through any GW with varying source IP address for the request. While this behavior is acceptable for an HTTP request, for an HTTPS request the connection request fails. This behaviour is seen because the OCS tracks the SSL session and source IP in the request. In the event that the SSL session switches between multiple IP addresses, the OCS will close the connection or log the user out to prevent a security breach.
This issue might occur on ProxySG appliances running SGOS version 5.x. To resolve this issue, you must upgrade to version SGOS 6.x (6.1 or above), which includes the new tcp_ip load balance feature.
Use the following CLI command on the ProxySG, This command instructs the routing algorithm to use the source IP, destination IP or both as a hash value on the outbound route.
#(config) tcp-ip routing-algorithm hashing [both | destination-address | source-address]
The default setting for the tcp-ip routing-algorithm option is weighted-round-robin and is is appropriate for all deployments (except where noted as in the examples above):
#(config) tcp-ip routing-algorithm weighted-round-robin
For details on the TCP IP Load Balance feature refer to the online manual at: https://bto.bluecoat.com/doc/14782