Deny result even with "Response.code:200" when running policy trace
search cancel

Deny result even with "Response.code:200" when running policy trace

book

Article ID: 190766

calendar_today

Updated On:

Products

ProxySG Software - SGOS Advanced Secure Gateway Software - ASG

Issue/Introduction

An explicit proxy configuration with detect protocol enabled, has deny policy is matched but receives a HTTP status code of 200.

Cause

With an explicit proxy, a CONNECT request tells the proxy to connect a client to a remote destination.

With detect protocol enabled, the proxy will send a CONNECT request so it can either A - connect to the OCS and deliver the content or B - deliver the deny page over a secure channel.

If the policy uses option B, deliver the deny page over the secure channel, the proxy can tell the request is denied already, but has not been able to communicate this to the client.

To send a deny page, the proxy first needs to forge a certificate.  The proxy will reach out to the site, even if it is denied, to get details of the certificate that will be used for forging one to the client.

In the case that the proxy reaches out and the site is unresponsive for any reason, there will be no client hello, no protocol handoff, and also no receiving of an upstream certificate.  As there is no upstream certificate no deny page delivered for this request. In the policy trace no follow up unknown ssl:// request will be present from the ssl proxy and a 403 is expected.

One indicator of this behavior is the total transaction time will be the timeout setting on the proxy.

Resolution

This is expected behavior in this situation.  The normal process is interrupted when the request cannot be handled normally.  There has been no access to a denied site in this case.