"Tunnel on Protocol Error" Feature usage in the ProxySG

book

Article ID: 168234

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

In many networks, business-critical applications send traffic over port 80 because it is used as a generic route through the firewall. However, the ProxySG appliance HTTP proxy engine encounters problems when it receives non-HTTP requests from clients or browsers. The client receives an exception page and the connection closes.
The following deployment operations create this situation:

  • The client request from an application or browser is not HTTP.
  • The request is HTTP, but it also contains components that are not HTTP.
  • The request contains an unexpected formatting error in a line or header.

Resolution

The ProxySG appliance provides an option that enables the HTTP proxy to tunnel the connection when it receives non-HTTP traffic or broken HTTP request. The transactions remain labeled as HTTP; therefore, the access logs and the Traffic Mix and Active Sessions Active statistics display TCP TUNNELED to indicate when a connection passed through the HTTP proxy engine.

For the SSL proxy engine, the Tunnel on Protocol Error option applies when non-SSL traffic arrives at the SSL port (443 by default). A common scenario that causes this is having peer-to-peer applications (Skype, viz, BitTorrent, Gnutella, older AOL-IM) configured to enable port 443 for peer-to-peer traffic without SSL set as the transport protocol. A ProxySG appliance transparently intercepting all 443 traffic cannot process these connections, rendering the application unusable.

This setting can only be configured globally in the following location in the Management Console:

Configuration > Proxy Settings > General > Tunnel on Protocol Error