Bloomberg client bypass on Transparent ProxySG/EdgeSWG deployment
search cancel

Bloomberg client bypass on Transparent ProxySG/EdgeSWG deployment

book

Article ID: 273586

calendar_today

Updated On:

Products

ISG Proxy Advanced Secure Gateway Software - ASG ASG-S200 ASG-S400 ASG-S500 ProxySG Software - SGOS ProxySG Software - SGOS

Issue/Introduction

Bloomberg application is not working via Transparent Proxy:

https://assets.bbhub.io/professional/sites/10/BBG_Network_Connectivity_Guide.pdf 

Environment

TEST ENVIRONMENT:

  • SGOS: 6.7.5.12 (latest 6.7.5.24)
  • Load-balance: Yes, active-active
  • Deployment mode: Transparent

Cause

The IP ranges and the URLs are not being accessible via Proxy

Documentation (PAGE10): https://assets.bbhub.io/professional/sites/10/BBG_Network_Connectivity_Guide.pdf 

 

DOMAINS/SUBDOMAINS:
bloomberg.net
bloomberg.com
blpprofessional.com
btogo.com

IP RANGES:
69.187.16.0/20
69.187.32.0/19
69.187.72.0/21
69.191.176.0/20
69.191.192.0/18
103.251.205.0/24
160.43.250.0/24
160.43.251.0/24
160.43.252.0/24
160.43.253.0/24
205.216.112.0/24
206.156.53.0/24
208.22.56.0/24
208.22.57.0/24

PORTS:
UDP Destination Ports
48129 - 48137

TCP Destination Ports
8194 – 8198
8209 – 8220
8290 – 8294

Resolution

CONFIGURATION OF BLOOMBERG APP:

Select SOCKS and put the IP of the Proxy and port 1080

 

CONFIGURATION ON PROXY:

1. Please go to the Configuration > Proxy Services > SOCKS

2. Make sure that the SOCKS is set to bypass on port 1080

3. Create a Web Access Layer in the VPM called Bloomberg

Source: <defined> or Any

Destination: Combined object that includes request urls:

  • bloomberg.net
  • bloomberg.com
  • blpprofessional.com
  • btogo.com
  • 69.187.16.0/20
  • 69.187.32.0/19
  • 69.187.72.0/21
  • 69.191.176.0/20
  • 69.191.192.0/18
  • 103.251.205.0/24
  • 160.43.250.0/24
  • 160.43.251.0/24
  • 160.43.252.0/24
  • 160.43.253.0/24
  • 205.216.112.0/24
  • 206.156.53.0/24
  • 208.22.56.0/24
  • 208.22.57.0/24

Service: SOCKS

Action: Allow

4. This is an optional step ( SOCKS compression may need to be disabled in some cases. The CPL policy should include the line socks.accelerate (no).) In the policy file, insert the following code:

<Proxy>
socks.accelerate(no)

 

 

CONFIGURATION WITH SOCKS AUTHENTICATION:

How to set up Bloomberg client with authentication - https://knowledge.broadcom.com/external/article/166490 

 

 

 

########### Manual FULL BYPASS only on SGOS 7.3.x #########

 

######## TCP TUNNEL ########

ProxySG> enable
ProxySG# config t
ProxySG(config)# proxy-services
ProxySG(config proxy-services)# create tcp-tunnel BloombergTCP
ProxySG(config proxy-services)# edit BloombergTCP
add all 69.187.16.0/20 8194–8198 bypass
add all 69.187.32.0/19 8194–8198 bypass
add all 69.187.72.0/21 8194–8198 bypass
add all 69.191.176.0/20 8194–8198 bypass
add all 69.191.192.0/18 8194–8198 bypass
add all 103.251.205.0/24 8194–8198 bypass
add all 160.43.250.0/24 8194–8198 bypass
add all 160.43.251.0/24 8194–8198 bypass
add all 160.43.252.0/24 8194–8198 bypass
add all 160.43.253.0/24 8194–8198 bypass
add all 205.216.112.0/24 8194–8198 bypass
add all 206.156.53.0/24 8194–8198 bypass
add all 208.22.56.0/24 8194–8198 bypass
add all 208.22.57.0/24 8194–8198 bypass
add all 69.187.16.0/20 8209-8220 bypass
add all 69.187.32.0/19 8209-8220 bypass
add all 69.187.72.0/21 8209-8220 bypass
add all 69.191.176.0/20 8209-8220 bypass
add all 69.191.192.0/18 8209-8220 bypass
add all 103.251.205.0/24 8209-8220 bypass
add all 160.43.250.0/24 8209-8220 bypass
add all 160.43.251.0/24 8209-8220 bypass
add all 160.43.252.0/24 8209-8220 bypass
add all 160.43.253.0/24 8209-8220 bypass
add all 205.216.112.0/24 8209-8220 bypass
add all 206.156.53.0/24 8209-8220 bypass
add all 208.22.56.0/24 8209-8220 bypass
add all 208.22.57.0/24 8209-8220 bypass
add all 69.187.16.0/20 8228 bypass
add all 69.187.32.0/19 8228 bypass
add all 69.187.72.0/21 8228 bypass
add all 69.191.176.0/20 8228 bypass
add all 69.191.192.0/18 8228 bypass
add all 103.251.205.0/24 8228 bypass
add all 160.43.250.0/24 8228 bypass
add all 160.43.251.0/24 8228 bypass
add all 160.43.252.0/24 8228 bypass
add all 160.43.253.0/24 8228 bypass
add all 205.216.112.0/24 8228 bypass
add all 206.156.53.0/24 8228 bypass
add all 208.22.56.0/24 8228 bypass
add all 208.22.57.0/24 8228 bypass
add all 69.187.16.0/20 8290-8294 bypass
add all 69.187.32.0/19 8290-8294 bypass
add all 69.187.72.0/21 8290-8294 bypass
add all 69.191.176.0/20 8290-8294 bypass
add all 69.191.192.0/18 8290-8294 bypass
add all 103.251.205.0/24 8290-8294 bypass
add all 160.43.250.0/24 8290-8294 bypass
add all 160.43.251.0/24 8290-8294 bypass
add all 160.43.252.0/24 8290-8294 bypass
add all 160.43.253.0/24 8290-8294 bypass
add all 205.216.112.0/24 8290-8294 bypass
add all 206.156.53.0/24 8290-8294 bypass
add all 208.22.56.0/24 8290-8294 bypass
add all 208.22.57.0/24 8290-8294 bypass
ProxySG(config proxy-services)# exit

 

######## UDP TUNNEL ########

Only applicable to ProxySG 7.3.x branch

ProxySG> enable
ProxySG# config t
ProxySG(config)# proxy-services
ProxySG(config proxy-services)# create udp-tunnel BloombergUDP
ProxySG(config proxy-services)# edit BloombergUDP
add all 69.187.16.0/20 48129-48137 bypass
add all 69.187.32.0/19 48129-48137 bypass
add all 69.187.72.0/21 48129-48137 bypass
add all 69.191.176.0/20 48129-48137 bypass
add all 69.191.192.0/18 48129-48137 bypass
add all 103.251.205.0/24 48129-48137 bypass
add all 160.43.250.0/24 48129-48137 bypass
add all 160.43.251.0/24 48129-48137 bypass
add all 160.43.252.0/24 48129-48137 bypass
add all 160.43.253.0/24 48129-48137 bypass
add all 205.216.112.0/24 48129-48137 bypass
add all 206.156.53.0/24 48129-48137 bypass
add all 208.22.56.0/24 48129-48137 bypass
add all 208.22.57.0/24 48129-48137 bypass
ProxySG(config proxy-services)# exit

 

Then create a CPL Layer in your VPM Policy and paste the code:

; ################# BloombergClient FULL BYPASS START #################
; Allow TCP/UDP tunnel
<Proxy>
service.name="BloombergTCP" authenticate(no) ALLOW

service.name="BloombergUDP" authenticate(no) ALLOW
; Disables authentication via Proxy
<proxy>
condition=Bloombergclient authenticate(no) ALLOW
; Disables HTTP/2 for Websockets
<proxy>
condition=BloombergWebsockets http2.client.accept(no) http2.server.request(no)
; Disables protocol detection
<proxy>
condition=Bloombergclient detect_protocol(none)
; Disables http manipulation
<proxy>
condition=Bloombergclient http.client.persistence(no) http.server.persistence(no) bypass_cache(yes) http.request.version(1.0) http.response.version(1.0) server_url.dns_lookup(ipv4-only)
; Disables ICAP scanning
<cache>
condition=Bloombergclient request.icap_service(no) response.icap_service(no)
; Disables CACHE
<cache>
condition=Bloombergclient pipeline(no) cache(no)
; Disables SSL-Interception, packet inspection
<ssl-intercept>
condition=Bloombergclient ssl.forward_proxy(no)
; Disables servers SSL certificate validation
<SSL>
condition=Bloombergclient server.certificate.validate(no)

define condition Bloombergclient
; domains for Bloomberg client
url.domain="bloomberg.net"
url.domain="bloomberg.com"
url.domain="blpprofessional.com"
url.domain="btogo.com"
end condition Bloombergclient

define condition BloombergWebsockets
; domains for the websockets
client.connection.ssl_server_name.suffix=.bloomberg.net
client.connection.ssl_server_name.suffix=.bloomberg.com
client.connection.ssl_server_name.suffix=.blpprofessional.com
client.connection.ssl_server_name.suffix=.btogo.com
end condition BloombergWebsockets

; ################# BloombergClient BYPASS END #################

Additional Information

UDP bypass is only supported under 7.3.x version of Proxy - https://knowledge.broadcom.com/external/article/225761/udp-support-on-proxysg.html 

Powered by Wolken Software