Customize the generic deny message presented to the end user
Article ID: 282289
Updated On:
Products
Issue/Introduction
Customer would like to customize the error messages presented to the end user. The message can be used to provide more information or to coach the user community about the internal processes and regulations.
Environment
Cloudsoc Gatelet deployment via web proxy chaining.
In those deployments typically the end user traffic is originated from within a cooperate network which in turn passes through a web proxy.
Resolution
Summary:
Web proxies like the Edge Secure Web Gateway SWG (ProxySG) can be configured to monitor for the case where Cloudsoc responds with an error message that matches the use case required. Then replacing the generic error message sent by Cloudsoc by a custom one which the customer can modify.
The following changes need to be done on the on-prem Proxy.
Steps:
1- Create a custom exception on the proxy.
There are two ways, either via the proxy command line , or via the proxy console
Example (from CLI):
notice that the message is a simple HTML page, entered with the "inline format" command, and the proxy substitution variables are entered in the $(vriable.name) format.
>enable
Enable Password:
#conf t
Enter configuration commands, one per line. End with CTRL-Z.
#(config)exceptions
#(config exceptions)create Cloudsoc_Custom_Handler
ok
#(config exceptions)edit Cloudsoc_Custom_Handler
#(config exceptions user-defined.Cloudsoc_Custom_Handler)inline format XXXYYYZZZ
<p> </p>
<table>
<tbody><tr><td>
<p><strong><span>Symantec Cloudsoc “</span></strong><span>Page access denied<strong>”</strong></span></p>
<p><pre>
Client Address: $(client.address)<br>
user : $(user)<br>
user.name : $(user.name)<br>
User AD Groups: $(groups)<br>
Application Name: $(request.application.name)<br>
Appication Group: $(request.application.groups)<br>
Redriected to: $(response.header.Location)<br>
Via: $(response.header.Via)<br>
</pre></p></td></tr>
<tr><td>
<p><strong>The user account is not configured properly!</strong></p>
<p><strong>Please reach out to your helpdesk team at <a href="mailto:[email protected]">[email protected]</a></strong></p>
</td></tr>
</tbody>
</table>
XXXYYYZZZ
ok
#(config exceptions user-defined.Cloudsoc_Custom_Handler)http-code 403
ok
#(config exceptions user-defined.Cloudsoc_Custom_Handler)exit
#(config exceptions)exit
#(config)exit
2- Create a proxy policy to look for the error message sent by Cloudsoc (It's a redirect to an error message on Cloudsoc's parent domain)
There are different ways to implement this policy on Symantec Edge SWG (ProxySG), here is the CPL code to install it in either a CPL layer or a local file:
;=== US REGION ======
<proxy>
response.header.location.substring="https://app.elastica.net/static/ng/appLogin/index.html#/blocked?code=BLOCK_DISALLOWED_USER" http.response.code=302 force_exception(user-defined.Cloudsoc_Custom_Handler)
;=== EU REGION ======
<proxy>
response.header.location.substring="https://app.eu.elastica.net/static/ng/appLogin/index.html#/blocked?code=BLOCK_DISALLOWED_USER" http.response.code=302 force_exception(user-defined.Cloudsoc_Custom_Handler)
NOTE : Select one of the regions which corresponds to the Cloudsoc tenant region (Either US or EU).
3- Test the custom exception message to the end user
Additional Information
Without the above suggested changes, the generic Cloudsoc error message is presented in this format:
After installing the above configuration in the web policy, the proxy will presents the custom message configured. here is an example:
Feedback
