ProxySG policy to perform DNS lookup of the server URL does not work for SSL traffic
Article ID: 169395
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
When ProxySG policy includes a rule to perform DNS lookup of the server URL, the policy does not work when the SSL proxy intercepts SSL traffic. For example, you might notice that the appliance performs the default IPv4 lookup, even though IPv6 is preferred, when your policy is configured with one of the following:
- In the VPM, in a Web Access Layer, the Set Server URL DNS Lookup object.
- In CPL, the server_url.dns_lookup() property within a <proxy> layer.
Cause
The appliance performs DNS lookup of the server URL on SSL traffic before it evaluates <proxy> layer policy.
Resolution
For requests over HTTPS, as well as other protocols carried over SSL that the SSL proxy handles, include the rule to perform DNS lookup of the server URL in the <forward> policy layer.
Modify existing VPM policy:
1. Locate the DNS lookup policy, such as:
2. Change the <proxy> layer to <forward>, as follows:
3. Reload policy.
Modify existing VPM policy:
- In the ProxySG Management Console, select Configuration > Policy > Visual Policy Manager.
- Click Launch to open the VPM.
- In the VPM, remove the Web Access Layer rule that has the Set Server URL DNS Lookup object.
- Add a Forwarding layer. Select Policy > Add Forwarding Layer.
- Click Add Rule. Right click Action and add the Set Server URL DNS Lookup object.
- Make any other required changes and click Install Policy.
1. Locate the DNS lookup policy, such as:
; global setting to always perform IPv6 DNS lookup
<proxy>
server_url.dns_lookup(prefer-ipv6)
<proxy>
server_url.dns_lookup(prefer-ipv6)
2. Change the <proxy> layer to <forward>, as follows:
; global setting to always perform IPv6 DNS lookup
<forward>
server_url.dns_lookup(prefer-ipv6)
<forward>
server_url.dns_lookup(prefer-ipv6)
3. Reload policy.
Feedback
Yes
No
Powered by
