Users accessing WSS via IPSEC tunnel.
IPSEC tunnel is up and exchanging data.
Authentication disabled for initial testing.
Users accessing any URLs via IPSEC tunnel get a "network_not_allowed" request error as shown below:
PAC file pushed out to users, which sends traffic to the WSS data center VIP on TCP 8080 and not the trans-proxy endpoint at 126.96.36.199:80.
Change PAC file settings pushed down to users from going to the WSS data center VIP to the trans-proxy IP address / ports defined (188.8.131.52 - 184.108.40.206 on TCP 80)
The WSS IP address KB article outlines the Ingress IP address for IPSEC and Trans-proxy access methods to be the data center VIP, but technically trans-proxy users must point their proxy settings to be the 220.127.116.11-18.104.22.168 Ip address range only.
When replicating the issue, we could see the following HTTP access log entry when issue occured
2022-05-16 14:04:15 "DP3-GAEAD1_proxysg3" 268 192.168.88.131 - - network_not_allowed PROXIED "Technology/Internet" https://portal.threatpulse.com/ 0 TCP_DENIED POST - https portal.threatpulse.com 443 /djn/directprovider - - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.160 Safari/537.36" 192.168.3.86 16231 1070 - - - - - - - - 498274 "STM-MC1" firewall_vpn "Symantec Web Security Service" - 22.214.171.124 "United States" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - - "United States" - "Invalid" 2 - - - - - - - - - - - SSL_Intercept_1 - - - "XMLHttpRequest" 2001:0DB8:22d3:caf0:5c74:ce17:08c7:cec3 55c7b67657da469a-0000000002c38337-00000000628259df - - "Invalid" "Invalid"
When running a policy trace during replication, we could see the network_not_allowed EXCEPTION was triggered by the following guard
<[email protected] Transproxy-misconfiguration-guard> [layer 17] [local:201]
MATCH: http.method=CONNECT force_exception.request(user_defined.network_not_allowed)
This guard assumes that the explicit requests from users going through an IPSEC tunnel hits the transporxy endpoint, and not the IP address of the data center VIP itself.