Denied access to the requested port with Web Security Service

book

Article ID: 168892

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Attempt to access to any non-standard ports in an HTTP or HTTPS URL getting error "Denied access to the requested port".

Example:

  • http://192.168.44.132:9000/
  • https://192.168.183.19:7001/newtax/static/main.jsp

The browser displays the following block page:

Access Denied
System has denied access to the requested port.
Tech support information: policy_denied more
For assistance, contact your network support team.

...

Cause

The Web Security Service (WSS) currently supports only the destination protocols HTTP and HTTPS and ports 80 and 443 respectively. Custom destination ports and protocols are not currently supported.

Environment

Web Security Service

Resolution

Refer to this article about the All Ports License for Firewall/VPN Access Method

About the All Ports License:
http://portal.threatpulse.com/docs/am/AccessMethods/Concepts/about_allports.htm

http://cloudwebsecurity.att.com/docs/am/AccessMethods/Concepts/about_allports.htm

http://websaas.dimensiondata.com/docs/am/AccessMethods/Concepts/about_allports.htm

NOTE: If you require this functionality, please contact your Symantec sales representative.
 

Workaround:

Bypass the cloud service and proceed directly to the Internet.
Configure the Web Security Service to bypass certain sites

The bypass steps depend on your access method.

IPSEC
For IPsec, perform a DNS lookup on the site. Next, set up a rule on the firewall router to bypass the IP address of the site. The traffic to the site does not go through the IPsec tunnel.

Unified Agent (Windows and Mac)/Explicit Proxy
Login to the web portal and go to Service > Network > Bypassed Sites > Bypass IPs/Subnets: > + Add Bypass IPs. Enter the IP address and save.

Proxy Forwarding

If using an explicit proxy and you are also use a proxy PAC/WPAD file, add the URLs to these files. You can also choose to add a rule on the on-premises ProxySG to not forward these URLs to WSS but send them direct instead. The Content Policy Language (CPL) code to achieve forwarding is:


   server_url.domain="{URL.EN_US}" socks_gateway(no) forward(no)   

If the proxy is a transparent proxy, add the address to the bypass list so it goes direct. You might need to change firewall and router rules to allow the clients to go directly to those websites.

NOTE: For custom destination ports, Bypassed Sites and Trusted Destinations are not effective.
Understand the security risk of bypassing the Web Security Service (no applied filtering or malware scanning).