Edge SWG (ProxySG) not serving the Notify User page when the default policy set to Deny

Products

SGVA ISG Proxy Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

The Notify User action object does not modify the Allow or Deny states; therefore, it requires that the request hit an allow rule before the user is served with the notify user page.

Without an Allow Policy:

start transaction -------------------

CPL Evaluation Trace: transaction ID=7504

<Proxy> condition=!__is_notify_internal

MATCH: trace.request(yes) trace.rules(all) trace.destination(1234)

[Rule] url=http://notify.bluecoat.com/

miss : url=http://notify.bluecoat.com/

[Rule]

miss : url=http://notify.bluecoat.com/

[Rule]

miss : url=/notified-NotifyUser1?

miss : url=/verify-NotifyUser1?

[Rule]

MATCH: action.__delete_notify_cookies(yes)

miss : condition=__is_notify_internal

connection: service.name=Explicit HTTP client.address=10.105.0.128 proxy.port=8080

time: 2011-01-11 03:43:53 UTC

GET http://www.example.com

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729)

user: unauthenticated

DENIED: Default secure policy mode <----------------- Matching with the default DENY Policy

DSCP client outbound: 65

DSCP server outbound: 65

stop transaction --------------------

With an ALLOW policy:

start transaction -------------------

CPL Evaluation Trace: transaction ID=7545

<Proxy> condition=!__is_notify_internal

MATCH: ALLOW policy.NotifyUser1 <----------------- Matching with the ALLOW Policy

<Proxy> condition=!__is_notify_internal

MATCH: trace.request(yes) trace.rules(all) trace.destination(1234)

[Rule] url=http://notify.bluecoat.com/

miss : url=http://notify.bluecoat.com/

[Rule]

miss : url=http://notify.bluecoat.com/

[Rule]

miss : url=/notified-NotifyUser1?

miss : url=/verify-NotifyUser1?

[Rule]

MATCH: action.__delete_notify_cookies(yes)

miss : condition=__is_notify_internal

Called policy definition: NotifyUser1

<Proxy>

MATCH: condition=__NotifyUser1_should_notify action.__NotifyUser1_check_notify(yes)

connection: service.name=Explicit HTTP client.address=10.105.0.128 proxy.port=8080

time: 2011-01-11 03:45:26 UTC

GET http://www.example.com

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729)

user: unauthenticated

REDIRECT(policy_redirect)

redirect location=http://notify.bluecoat.com/notify-NotifyUser1?http/www.google.com.my/aHR0cDovL3d3dy5nb29nbGUuY29tLm15Lw== (302) <----------------- Redirected to Notify User Page

DSCP client outbound: 65

DSCP server outbound: 65

stop transaction --------------------

Cause

When you add a rule to notify user, it comes with a notifiable condition. Notify user rule will only work if it matches the condition below, one of them is http.response.code = 200 (i.e. the flow should 'Allowed' for the 'notify_user' to work. Please also look at other conditions, those may also have an impact.

From the Policy Trace, you may see this:

Called policy definition: NotifyUser1
<Proxy> [vpm-cpl:45655]
miss: condition=__NotifyUser1_should_notify

And from sysinfo:

define condition __NotifyUser1_should_notify
condition=__is_notifiable \
condition=!__is_notify_internal \
request.header.Cookie=!'notified-NotifyUser1=1'
end

define condition __is_notifiable
url.scheme=(http,https) \
http.method=GET \
request.header.User-Agent = '^(Mozilla|Opera)' \
request.header.Range = !'' \
request.header.If-Range = !'' \
http.response.code = 200 \
response.header.Content-Type='text/html'
end

Resolution

You must be aware of the conditions above and make sure it matches the conditions above. If you have Default Deny Policy, add an 'ALLOW' rule for the flow in Web Access Layer, e.g. WebAccessLayer(1), then you can add the Notify User rule in the next Web Access Layer, e.g. WebAccessLayer(2).

Note: For the condition 'http.method=GET \' to match, the flow must be SSL intercepted/decrypted or else GET request will not be visible to the Edge SWG (ProxySG).