search cancel

Fail to download large files through ProxySG

book

Article ID: 253680

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

User is unable to download large file via an application though downloading small file was successful. 

 

  

Cause

In this case PCAP shows that the ProxySG server side connection was receiving data from the server fine but ProxySG did not release any data back to client causing HTTP client receive client timeout (default 120 seconds) to kick in and reset the connection.

This behavior is normal when ICAP Response mode is enabled while ICAP data trickling is not enabled (not enabled by default) as ProxySG cannot serve content that are not scanned fully. 

Resolution

The solution here is to turn on ICAP data trickling for the failed site. 

<proxy>

response.icap_feedback(trickle_start|trickle_end[,trickle_delay])

 

trickle_start: Begins delivering bytes to the client after trickle_delay seconds if scanning has not completed within

that time. HTTP response headers are delivered at line speed. The response body is delivered to the client at the

reduced (trickle) rate. The last 12K bytes of the response will be held until the scanning result is known..

Trickled data may contain a threat, and although the end of the response is corrupted to render it unusable, some client

applications may still be vulnerable. Since all the data is delivered to the client at a reduced rate, this is somewhat more

secure than trickle_end, but the user will see very little intermediate progress.

 

trickle_end: Begins delivering bytes at line speed to the client after trickle_delay seconds if scanning has not

completed within that time. The last 16K bytes will be buffered by the appliance and trickling begins only when no more

data is expected from the server. The last 12K bytes of the response will be held until the scanning result is known.

Trickled data may contain a threat, and although the end of the response is corrupted to render it unusable, some client

applications may still be vulnerable. Since only the last part of the data is delivered to the client at a reduced rate, this is

somewhat less secure than trickle_start, but the user will see immediate initial progress.

Please see : https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3/overview/_properties/response-icap_feedback.html

Example:

<proxy>

url.domain=abc.com response.icap_feedback(trickle_start, 1)