search cancel

Proxy forwarded users always showing up as Unauthenticated User in Cloud SWG proxy logs

book

Article ID: 257217

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Proxy forwarding from McAfee proxy to Cloud SWG setup for all Box URLs.

Box gatelets configured via cloudSOC.

When users access the Box URLs, they get an error message indicating that the user is unknown and the Cloud SWG HTTP logs show the users as Unauthenticated in the User field.

Both the "BC_Auth_User" and "X-Client-IP" headers are added from the McAfee proxy and forwarded with the Box requests - we also see the Client IP is recorded correctly in the proxy logs.

Environment

McAfee Web Gateway 10.2.8.40163 on premise.

CloudSoc integration with Cloud SWG.

Cause

McAfee forwarding HTTP requests unencrypted to TCP 8084.

Resolution

Change McAfee proxy to forward the traffic to TCP 8080 and not 8084. We can also continue with 8084, but the traffic sent upstream needs to include the user information that was sent with the encrypted CONNECT request. 

Additional Information

HTTP logs on the Cloud SWG showed two entries for the user: one valid one showing user information followed by another one with 'Unauthenticated user' after the request is decrypted:

2022-12-06 14:23:42 "DP4-GUSAS1_proxysg2" 11 aaaaaaaa "xxxx" "yyyyy=" - - - OBSERVED "File Storage/Sharing" - 200 TCP_ACCELERATED CONNECT - tcp xxxxxx.ent.box.com 443 / - - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.47" 192.168.4.85 39 606 - - - - - - - - 519208 "SG Homologation" gateway_proxy "Box" "-" 74.112.186.144 "United States" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - - - - - - - - - - - - - - - - - - - - - - 2001:0DB8:45bc:d09f:1bfb:d354:4aa6:c4e0 7071d0517bbc4b67-000000005be59dcd-00000000638f506e - - "Invalid" "Invalid" - - -

2022-12-06 14:23:42 "DP4-GUSAS1_proxysg2" 249 aaaaaaaa "Unauthenticated User" "Unauthenticated User" - - - OBSERVED "File Storage/Sharing" - 302 TCP_NC_MISS GET - https xxxxxx.ent.box.com 443 / - - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.47" 192.168.4.85 438 694 elastica_reqmod elastica_respmod - - no - - - 519208 "SG Homologation" gateway_proxy "Box" "-" 74.112.186.144 "United States" - none - - TLSv1.3 TLS_AES_128_GCM_SHA256 128 box.com "File Storage/Sharing" TLSv1.3 TLS_AES_128_GCM_SHA256 128 - ICAP_REPLACED - ICAP_REPLACED - 74.112.186.144 - - - - unavailable - - - - - - - - - - SSL_Intercept_1 - - - - 2001:0DB8:45bc:d09f:1bfb:d354:4aa6:c4e0 7071d0517bbc4b67-000000005be59e2a-00000000638f506e 168.149.152.17 168.149.152.17 "US" "United States" - - -

 

From the PCAP generated on the McAfee proxy, we can can see that the CONNECT request over TCP 8084 has the user info but we cannot decrypt the SSL session (request is not encrypted, which is expected when using TCP 8084) to see if the SSL intercepted traffic also has the user in the request (required).

 

From the policy trace within WSS, we can confirm that the TCP connection request includes the user info … we log all the headers to confirm this.

connection: service.name=Forward_Proxy_Intercepted_HTTPS client.address=bbbbbbbb Header address=bbbbbbbb (NAT address=10.254.195.158) (effective address=bbbbbbbb) proxy.port=8084 source.port=33506 dest.port=8084
client country= pcid=1023
  location-id=519208 access_type=gateway_proxy
time: 2022-12-06 14:32:16 UTC
CONNECT tcp://aaaaaaaa.ent.box.com:443/
  DNS lookup was unrestricted
BC_Auth_User: xxxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.47
Via: 1.1 cccccccc (McAfee Web Gateway 10.2.8.40163)
X-Forwarded-For: bbbbbbbb
X-Forwarded-For: cccccccc
user: name="aaaaa" realm=proxy_forward

When we hit the SSL interception code and decrypt the request, we do not see the encrypted user info we expect …. and hence we are unauthenticated.

connection: service.name=Forward_Proxy_Intercepted_HTTPS client.address=bbbbbbbbb (NAT address=10.254.195.158) (effective address=bbbbbbbbb) proxy.port=8084 source.port=33506 dest.port=8084
client country= pcid=1023
  location-id=519208 access_type=gateway_proxy
time: 2022-12-06 14:32:16 UTC
GET https://aaaaaaaa.ent.box.com/
  DNS lookup was unrestricted
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.47
user: name="Unauthenticated User" realm=proxy_forward
authentication start 34 elapsed 1 ms
authorization start 35 elapsed 0 ms
authentication status='none' authorization status='none'
user: authenticated=true authorized=true relative username='Unauthenticated User'
verdict: ALLOWED
bypass_cache(yes)
  url.category: [email protected];File Storage/[email protected] Coat
    category groups: File [email protected] Coat;[email protected] Coat
    total categorization time: 0
    static categorization time: 0
outbound source IP: 168.149.152.17 spoof: auto
server.response.code: 0

Attachments