Why, in some cases, does a ProxySG send back a (2xx) response to a "CONNECT" request without opening a socket to the OCS first?


Article ID: 167576


Updated On:


ProxySG Software - SGOS


This behavior can sometimes appear in contradiction to RFC2817 which stipulates that when a Proxy returns a (2xx) response to a connect request, it means that the proxy has established a connection to the origin server. When looking at packet captures, we sometimes see the proxy return a (2xx) response and then reset the client connection, and at the same time not attempt to connect to the OCS.

It is also possible that in the event where the origin server is not available, the client still gets a (2xx) from the proxy.


This behavior changes depending on the protocol detection feature.

When protocol detection is disabled, the Proxy won't examine the connection and simply relay the information to the origin server. In this case here, a simple tunnel is established and the ProxySG will not send a (2xx) response back to the client without first checking with the origin server

When protocol detection is enabled, the ProxySG needs to examine what the client sends before it opens a connection to the origin server, which in turn means the proxy needs to return a (2xx) to the client so that the client starts sending it's first request. In this case here, the ProxySG is partly acting as an origin server and RFC2817 mentions that an origin server can return a (2xx) response when a connection is established.