User is unable to access a secure Website using SSL when going through a ProxySG.
In some cases, when a user accesses a Web server (OCS) using SSL via the proxy, the user is logged out of the server almost immediately after logging in. The message on screen reads ""You have logged out from your session, log in again to continue. "
The ability to access non-secure content (or HTTP access) is not hindered.
There are couple reasons that cause the the HTTPS access to fail:
1. The proxy has multiple (more than 1) default gateways(GW).
2. The proxy has multiple (more than 1) default gateways(GW). All the GWs are in the same group and have the same weight to allow for failover and load balancing. In such a case the proxy does load balancing with round robin method, and the request may goes through any GW with varying source IP address for the request. While this behavior is acceptable for an HTTP request, for an HTTPS request the connection request fails. This behaviour is seen because the OCS tracks the SSL session and source IP in the request. In the event that the SSL session switches between multiple IP addresses, the OCS will close the connection or log the user out to prevent a security breach.
This issue might occur on ProxySG appliances running SGOS version 5.x. To resolve this issue, you must upgrade to version SGOS 6.x (6.1 or above), which includes the new tcp_ip load balance feature.
Use the following CLI command on teh ProxySG, This command instructs the routing algorithm to use the source IP, destination IP or both as a hash value on the outbound route.
#(config) tcp-ip routing-algorithm weighted-round-robin
For details on the TCP IP Load Balance feature refer to the online manual at: https://bto.bluecoat.com/doc/14782
Rate this Page
Please take a moment to complete this form to help us better serve you.