Forwarding to an internal HTTPS site is not working

book

Article ID: 167579

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

  • Customer wants to forward all requests coming to a domain to an internal HTTPS web server, but is not working.
  • Policy trace shows as allowed, but the browser shows “Page Cannot be Displayed.”
    • Example: Forward all communications to internalsite.local to an internal HTTTPS server 10.10.10.10
  • Forwarding layer policy not working

Resolution

This issue happens when you don't have a valid SSL License. Without an SSL License, the ProxySG appliance will try to tunnel the traffic, but will fail to pass the connection. A sample transaction is given below, where no SSL License is available on the ProxySG.

start transaction -------------------


  CPL Evaluation Trace: transaction ID=617330057
           <Proxy>
    MATCH:     ALLOW url.domain="123.testdomain.com"
           <Forward>
    MATCH:     server_url.domain=//123.testdomain.com/ forward("123_testdomain") forward.fail_open(no)
           <Proxy>
    MATCH:     client.address=10.1.1.1 trace.request(yes) trace.rules(all) trace.destination(AccessTest.html)

  connection: service.name=Explicit HTTP client.address=10.1.1.1 proxy.port=8080
  time: 2013-09-20 07:00:00 UTC
  CONNECT tcp://123.testdomain.com:443/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
  user: unauthenticated
    url.category: [email protected] Coat
  application.name: none
  application.operation: none
  DSCP client outbound: 65
  DSCP server outbound: 65


stop transaction --------------------

   

The example policy trace shows that the forwarding rule gets hit, but it will not work without an SSL License.

Note: This only needs the presence of a valid SSL License. SSL interception is not a must.

Reference How to setup a forwarding rule ProxySG or ASG