ProxySG policy to perform DNS lookup of the server URL does not work for SSL traffic

book

Article ID: 169395

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

When ProxySG policy includes a rule to perform DNS lookup of the server URL, the policy does not work when the SSL proxy intercepts SSL traffic. For example, you might notice that the appliance performs the default IPv4 lookup, even though IPv6 is preferred, when your policy is configured with one of the following:
  • In the VPM, in a Web Access Layer, the Set Server URL DNS Lookup object.
  • In CPL, the server_url.dns_lookup() property within a <proxy> layer.

Cause

The appliance performs DNS lookup of the server URL on SSL traffic before it evaluates <proxy> layer policy.

Resolution

For requests over HTTPS, as well as other protocols carried over SSL that the SSL proxy handles, include the rule to perform DNS lookup of the server URL in the <forward> policy layer.

Modify existing VPM policy:
  1. In the ProxySG Management Console, select Configuration > Policy > Visual Policy Manager.
  2. Click Launch to open the VPM.
  3. In the VPM, remove the Web Access Layer rule that has the Set Server URL DNS Lookup object.
  4. Add a Forwarding layer. Select Policy > Add Forwarding Layer.
  5. Click Add Rule. Right click Action and add the Set Server URL DNS Lookup object.
  6. Make any other required changes and click Install Policy.
Modify existing CPL:

1. Locate the DNS lookup policy, such as:
; global setting to always perform IPv6 DNS lookup
<proxy>
  server_url.dns_lookup(prefer-ipv6)

2. Change the <proxy> layer to <forward>, as follows:
; global setting to always perform IPv6 DNS lookup
<forward>
  server_url.dns_lookup(prefer-ipv6)

3. Reload policy.