Solutions

User is unable to access a secure Website using SSL when going through a ProxySG.

Solutions ID:    KB4433
Version:    1.0
Status:    Published
Published date:    06/08/2011
 

Problem Description

In some cases, when a user accesses a Web server (OCS) using SSL via the proxy, the user is logged out of the server almost immediately after logging in. The message on screen reads ""You have logged out from your session, log in again to continue. "

The ability to access non-secure content (or HTTP access) is not hindered.

There are couple reasons that cause the the HTTPS access to fail:

1. The proxy has multiple (more than 1) default gateways(GW).

2. The proxy has multiple (more than 1) default gateways(GW). All the GWs are in the same group and have the same weight to allow for failover and load balancing. In such a case the proxy does load balancing with round robin method, and the request may goes through any GW with varying source IP address for the request. While this behavior is acceptable for an  HTTP request, for an HTTPS request the connection request fails. This behaviour is seen because the OCS tracks the SSL session and source IP in the request. In the event that the SSL session switches between multiple IP addresses, the OCS will close the connection or log the user out to prevent a security breach.

Resolution

This issue might occur on ProxySG appliances running SGOS version 5.x.  To resolve this issue, you must upgrade to version SGOS 6.x (6.1 or above), which includes the new tcp_ip load balance feature.

Use the following CLI command on teh ProxySG, This command instructs the  routing algorithm to use the source IP, destination IP or both as a hash value on the outbound route.
#(config) tcp-ip routing-algorithm hashing [both | destination-address | source-address]
 

For example, you can set this option to use the source IP address when the ProxySG appliance needs to connect to a secure Web server and the Web server requires the source IP address to remain unchanged during the lifetime of the secure session. Similarly, you can enable this hash based routing option for other services that use cookies to maintain a "session" across multiple connections.


The default setting for the tcp-ip routing-algorithm option is weighted-round-robin and is is appropriate for all deployments (except where noted as in the examples above):

#(config) tcp-ip routing-algorithm weighted-round-robin

For details on the TCP IP Load Balance feature refer to the online manual at:  https://bto.bluecoat.com/doc/14782


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question