Technical Alerts

ProxyClient installation is failing with HTTP 400 or 403 response from client manager.

Technical Alerts ID:    TFA85
Version:    10.0
Status:    Published
Published date:    01/19/2012
Updated:    07/18/2012
 

Affected products and versions

ProxyClient 3.x and later.

Problem description

Symptoms:

On Windows 7, after applying the Microsoft Windows update KB2585542, communication between the Proxy Client workstation and the Client Manager will be impaired resulting in the following observed symptoms:

 

  1. Installation of ProxyClient software fails with a 400 response.  There may be a 403 response instead when web filtering Location Awareness (auto-detect) is enabled.
  2. Automatic updates of config and software do not occur

 

Cause:

Microsoft introduced KB2585542 to defeat man in the middle attacks (please refer CVE-2011-3389 for more details). For this patch, Microsoft modified the way that the Windows Secure Channel component sends and receives encrypted network packets. Software and config downloads from client manager stopped working in Proxyclient after the Windows updates since Proxyclient was relying on one of the symmetric ciphers that was found to be vulnerable. 

 

Status

 

This issue has been fixed in ProxyClient 3.3.2.2, released to limited availability (LA) on January 30th 2012 and 3.4.3.2 on June 19th 2012. At this time since the release is in LA status, please contact Blue Coat Support to obtain a link to download the latest ProxyClient software (currently version 3.3.2.7 and 3.4.3.2 with additional critical fixes, as of the update of this article on 6/21/2012).

Important Note: The issue also resides on the ProxySG (client manager) as well. Utilizing the fix on either side (SG or ProxyClient) will resolve the issue. However, because the issue also affects machines that are not running ProxyClient, it is recommended you apply the SGOS fix as it  resolves the issue for both (workstations with ProxyClient installed and not). The fix in the ProxySG has been released to general availability (GA) in SGOS version 6.3.3.1 and in 6.2.9.2 patch release (PR). Please contact Blue Coat Support to obtain the latest PR with this fix (currently version 6.2.9.3, as of the the update of this article on 6/21/2012). The GA fix of 6.2.10.1 has an ETA release date of 7/25/2012. Please check the download page for availability of this release. 

Note: You can also subscribe to update notifications of the SGOS releases. See the following article for more information: FAQ155

Note: If clients are protected with Web filtering auto-detection, a reboot of the work station may be required. 

Workaround

If upgrading to apply the fix is not a viable option, at customers' discretion, a known workaround is to uninstall Windows update KB2585542. 

 

 

Resolution

The cipher suite that Proxyclient uses has been modified to avoid using the algorithms found vulnerable. This issue has been fixed in ProxyClient 3.3.2.2.

However, since Proxyclient’s software update depends on the SSL communication that is affected by the Windows update, customers will have to roll out the ProxyClient update through other means like GPO or SMS.  

If GPO or SMS is not an option then the  ProxyclientSetup EXE could be shared to users (using a webpage, windows file share or something similar) and users could be requested to download the setup EXE and run it, which will update the software.

 

 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question