Error: ERR_TOO_MANY_REDIRECTS on Specific URLs When Browsing Through Fireglass Web Isolation

book

Article ID: 171825

calendar_today

Updated On:

Products

Web Isolation

Issue/Introduction

This will occur if:

  • The gateway has server mode, or SAML authentication enabled
  • The URL is a listed public suffix (https://publicsuffix.org/list/public_suffix_list.dat)

Fireglass Web Isolation (FWI)

Cause

This is happening due to how server mode authentication works. On first accessing the URL, the user is redirected to the gateway and then back to the original domain, while also setting a cookie which is used as an indicator that the user has been authenticated.

On URLs that are part of the public suffix list, the browser will block any attempt to set a cookie. When the user is redirected back to the original domain, they do not send a cookie signaling that they are authenticated, and so they are again redirected to the gateway to authenticate. This redirect loop eventually results in a browser error.

SAML will have an identical problem, with a different order of redirects.

Resolution

For any URL that is in the public suffix list, you will need to either PAC bypass, or bypass authentication for the URL, as the cookie limitation is happening at the browser level.