Reflect_ip() policy is not working for intercepted HTTPS traffic based on Authenticated User

book

Article ID: 167717

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Following on from KB3574 

Reflect IP rules in policy based on Authenticated User source objects do not work, even in a forwarding layer.
 
For example the policy below: 
 
<Proxy>
authenticate(test)  authenticate.force(yes) authenticate.mode(auto) ; Rule 1
;; Tab: [Forwarding Layer (1)]
<Forward>
condition=__USER11 reflect_ip("xx.xx.xx.xx") ; Rule 1
;; Tab: [SSL Access Layer (1)]
<SSL>
server.certificate.validate(yes) server.certificate.validate.check_revocation(auto) ; Rule 1
;; Tab: [Web Access Layer (1)]
<Proxy>
authenticated=yes Allow ; Rule 1
;; Tab: [SSL Intercept Layer (1)]
<SSL-Intercept>
ssl.forward_proxy(https) ssl.forward_proxy.issuer_keyring(appliance-key)
 
 
define condition __USER11
realm=test user="REALM\UserX"
end condition __USER11

Resolution

The level at which the forwarding layer is evaluated during the interception of the SSL traffic is the problem. 

If you look at a policy trace the forwarding layer is seen to be evaluated at both the TCP and HTTPS stage of interception, not at the SSL stage. This is key.
 
In SGOS 6.3.x the policy evaluation at this stage has been changed to include the forwarding layer, so the reflect IP rule is matched at the right time to initiate the TCP connection upstream with the IP address referenced in policy. 
 
 
start transaction -------------------
 
  CPL Evaluation Trace: transaction ID=403
            <Forward>
     MATCH:     condition=__USER11 reflect_ip(xx.xx.xx.xx)
            <ssl-intercept>
     MATCH:     ssl.forward_proxy(https) ssl.forward_proxy.issuer_keyring(default)
   connection: service.name=Explicit HTTP client.address=10.91.1.21 proxy.port=8080
   time: 2012-01-11 09:24:56 UTC
   unknown ssl://www.verisign.com:443/
   user: name="REALM\userX" realm=test
   application.name: unavailable
   application.operation: unavailable
   DSCP client outbound: 65
   DSCP server outbound: 65
 
stop transaction --------------------
 
It is possible that this behavior will be included in a future release of SGOS 6.2.x