The Edge SWG (ProxySG) Application Forwards Connections To a Parent Proxy Unexpectedly
Article ID: 282315
Updated On:
Products
Issue/Introduction
The Edge SWG (ProxySG) application on ISG redirects internal web requests to a parent proxy despite the absence of forwarding rules and configuration for proxy chaining.
Some requests may be blocked by the parent proxy including internal requests such as license validation (https://validation.es.bluecoat.com) or subscription services (https://subscription.es.bluecoat.com).
Updating and loading licenses may result in errors from the ISG such as:
ISG# licensing load id XXXXXX
license update failed for license ID XXXXXX
ErrorCode
: -14500
ErrorMessage
. connection error
(Model :
SG—Enterprise)
Reason : 407 :HTTP/I.1 407 Proxy Authentication Required: Proxy Authentication Required
Environment
The ISG running on SSP hardware.
Cause
The ISG has a configured explicit proxy. This can be confirmed via the ISG CLI by getting into configuration mode and executing:
(config)# proxy-settings view
enabled:true
host :10.X.X.X
port no:8008
username:configured
password:configured
Resolution
If you would like to continue using the proxy on the ISG but bypass the Edge SWG traffic from being processed on the proxy, bypass the Edge SWG application source IP from the proxy set on the ISG.
If you would like to use the parent proxy for client traffic, but not for essential services such as licensing and subscription services, bypass the ISG and Edge SWG application IPs for the following services in the document: Required ports, protocols, and services for the Edge SWG (ProxySG) appliance
If the proxy isn't needed on the ISG then you can disable the proxy settings via the CLI from configuration mode:
(config)# proxy-settings disable
Refer to ISG documentation for proxy-settings: CLI overview for proxy-settings
Feedback
