.msi file transfer blocked using access gateway
search cancel

.msi file transfer blocked using access gateway

book

Article ID: 268280

calendar_today

Updated On:

Products

SITEMINDER CA BCS Premier for CA Single Sign-On CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction


Customer tries to access url to download ~pdfs/Software/.....-64BitSetup.msi, getting HTTP error 503 as below:

"The file you are trying to download or upload has been blocked in accordance with company policy. Please contact your system administrator if you believe this is an error.

File name: .....-64BitSetup.msi"

The request made into Access gateway, but the content was served from a backend application server.

So .msi file is NOT physically located at Access gateway.

Environment

Release : 12.8

Cause

Access gateway agent trace show error below:

[06/15/2023][05:37:46][1344][6080][10c2f938-00c5c3b7-a3d7822c-3cdf3e9b-4020ad77-5fea][execute][Sending request to backend = apps.domain.com url = http://apps.domain.com/pdfs/Software/.....-64BitSetup.msi]

[06/15/2023][05:37:46][1344][6080][10c2f938-00c5c3b7-a3d7822c-3cdf3e9b-4020ad77-5fea][requestConnection(): ][Get connection: HttpRoute[{}->http://apps.domain.com], timeout = 0]

...

[06/15/2023][05:37:46][1344][5252][14ea4440-ea944d2a-8e919e7a-7b7f2c2a-da0d9c67-672][Tomcat5SerializedAgentData::doResponse][HTTP Status Code = 500]
[06/15/2023][05:37:46][1344][5252][14ea4440-ea944d2a-8e919e7a-7b7f2c2a-da0d9c67-672][ProxyValve::invoke][Exit status returned from the agent.]
[06/15/2023][05:37:46][1344][5252][14ea4440-ea944d2a-8e919e7a-7b7f2c2a-da0d9c67-672][ProxyValve::invoke][Leaving the agent.]
[06/15/2023][05:37:46][1344][6080][10c2f938-00c5c3b7-a3d7822c-3cdf3e9b-4020ad77-5fea][execute][Response status code from backend webserver is 503]

Either back end server is not responding or there is a network device between access gateway and the application server, which cuts off/blocks the connection based on file extension.

Either way, access gateway can NOT deliver the response back to the browser, hence the root cause is NOT with access gateway.

Out of box, access gateway does not block .msi file proxy. A successful proxy returns HTTP code 200, not 500.
A successful proxy test log example:
 
[06/19/2023][17:13:22][1792][6472][1317f366-c64d35ca-8caf4eed-0650065f-b7b232f1-cc][addRequestHeaders][Need to preseve Proxy HOST Header.Sending Proxy Host to the backend web server]
[06/19/2023][17:13:22][1792][6472][1317f366-c64d35ca-8caf4eed-0650065f-b7b232f1-cc][execute][Got protocol version HTTP]
[06/19/2023][17:13:22][1792][6472][1317f366-c64d35ca-8caf4eed-0650065f-b7b232f1-cc][execute][Sending request to backend = sps.ca.com url = http://sps.ca.com/transpolar/ldapbrowser-4.5.19808.0-x64-eng.msi]
[06/19/2023][17:13:22][1792][6472][1317f366-c64d35ca-8caf4eed-0650065f-b7b232f1-cc][requestConnection(): ][Get connection: {}->http://sps.ca.com:80, timeout = 180000]
[06/19/2023][17:13:22][1792][6472][1317f366-c64d35ca-8caf4eed-0650065f-b7b232f1-cc][openConnection()][Connecting to sps.ca.com/10.x.x.x:80]
[06/19/2023][17:13:22][1792][6472][1317f366-c64d35ca-8caf4eed-0650065f-b7b232f1-cc][execute][Response status code from backend webserver is 200]

Resolution

The firewall team created an exception to their profile filtering to allow pass through of.msi file extension.