network_not_allowed message accessing any URL via WSS

book

Article ID: 241798

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Users accessing WSS via IPSEC tunnel.

IPSEC tunnel is up and exchanging data.

Authentication disabled for initial testing.

Users accessing any URLs via IPSEC tunnel get a "network_not_allowed" request error as shown below:

Cause

PAC file pushed out to users, which sends traffic to the WSS data center VIP on TCP 8080 and not the trans-proxy endpoint at 199.19.250.205:80.

Resolution

Change PAC file settings pushed down to users from going to the WSS data center VIP to the trans-proxy IP address / ports defined (199.19.250.205 - 199.9.250.214 on TCP 80) 

The WSS IP address KB article outlines the Ingress IP address for IPSEC and Trans-proxy access methods to be the data center VIP, but technically trans-proxy users must point their proxy settings to be the 199.19.250.205-199.19.250.214 Ip address range only.

Additional Information

When replicating the issue, we could see the following HTTP access log entry when issue occured

2022-05-16 14:04:15 "DP3-GAEAD1_proxysg3" 268 192.168.88.131 - - network_not_allowed PROXIED "Technology/Internet" https://portal.threatpulse.com/ 0 TCP_DENIED POST - https portal.threatpulse.com 443 /djn/directprovider - - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.160 Safari/537.36" 192.168.3.86 16231 1070 - - - - - - - - 498274 "STM-MC1" firewall_vpn "Symantec Web Security Service" - 35.245.151.224 "United States" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - - "United States" - "Invalid" 2 - - - - - - - - - - - SSL_Intercept_1 - - - "XMLHttpRequest" 2001:0DB8:22d3:caf0:5c74:ce17:08c7:cec3 55c7b67657da469a-0000000002c38337-00000000628259df - - "Invalid" "Invalid"

When running a policy trace during replication, we could see the network_not_allowed EXCEPTION was triggered by the following guard

        <[email protected] Transproxy-misconfiguration-guard> [layer 17] [local:201]
 MATCH:         http.method=CONNECT force_exception.request(user_defined.network_not_allowed) 

This guard assumes that the explicit requests from users going through an IPSEC tunnel hits the transporxy endpoint, and not the IP address of the data center VIP itself. 

Attachments