Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5410
Views
0
Helpful
12
Replies

authentication issues with https

mulhollandm
Level 1
Level 1

‎11-10-2013 03:17 AM

folks

i have a couple of WSA670s behind a big ip load balancer and this week, after a feature key update, i'm getting occasional problems with authentication when accessing https sites

i'm running in transparent mode but with the big ip configured as an explicit proxy in the user's browser

i using 7.7.0-608

when users attempt to access a https site the page isn't always served, sometimes is does, sometime it doesn't

if i check the the accesslog i see a TCP 407/DENIED

if i then go to open a new tab and another https site, ie google, i can get access and if i go back to the tab that didn't work and refresh it now works

the accesslogs shows the traffic as authenticated

i can't allow any unauthenticated traffic

can anyone give me any help or point me in the right direction?

thanks to anyone replying

greatly appreciated                 

Labels:
0 Helpful
12 Replies 12

Vance Kwan
Cisco Employee
Cisco Employee

‎11-10-2013 10:35 PM

How does the F5 load balancer determine which WSA to send traffic to?

When the request leaves the F5, what is the Source IP address?

What surrogate type are you using?  (IP Address/Session Cookie/Persistent Cookie).

You may want to take a packet capture at the WSA while the issue is occuring to make sure that it is indeed authenticating to the WSA that wants to authenticate the user.

-Vance

0 Helpful

mulhollandm
Level 1
Level 1
In response to Vance Kwan

‎11-11-2013 12:28 AM

vance

many thanks for your reply

the f5 is configured with a pool of proxy servers (ironports) and uses irules to forward internet traffic to one set of proxies and intranet traffic to another set of proxies

the source address of the traffic leaving the f5s is the expected f5 ip address but x-forwarding is configured and i can see the client address in my accecsslogs

we are using ip address as the surrogate

i can see the traffic hitting the correct wsa on the f5 through a source ip based persistence policy on the f5 and in the accesslogs of the wsa, if i tail on my other wsas there is no traffic from my source ip

all http traffic works fine, the problem only happens with occasional https traffic

thanks again

i'm considering enabling the https proxy and just traffic without decrypting it but i'm not sure if this is relevant to my issue

0 Helpful

VeNoMouSNZ
Level 1
Level 1

‎11-11-2013 02:07 PM

I too am seeing TCP_DENIED/407 on SSL's... I have No Surrogate enabled due to we have alot of XenApp servers , maybe this is wrong....  mulhollandm do you have No Surrogate on your identity policies?


0 Helpful

mulhollandm
Level 1
Level 1
In response to VeNoMouSNZ

‎11-11-2013 03:13 PM

jodi

we're using ip address as surrogate

0 Helpful

Vance Kwan
Cisco Employee
Cisco Employee
In response to mulhollandm

‎11-12-2013 07:02 PM

I see some potential problems with your setup.

If the request is leaving the F5 with its own IP address as the Source, and when your user authenticates, the WSA will associate that user with the F5's IP address.  Authentication does not take the XFF header into consideration.  If you have not run into problems with this, chances are that you are not using any surrogates (see the option to Apply Same Surrogate Type For Explicit Forward Requests).

If all you saw is a 407 when it does not work, this pretty much narrows it down to an authentication problem I suppose.

Can you post the actual Access Log entries when the issue occurs?

0 Helpful

mulhollandm
Level 1
Level 1
In response to Vance Kwan

‎11-15-2013 03:04 PM

vance

apologies for the delay, here's a sample log entry

both of these are from the same log

not working

1383782289.013 149 10.63.132.227 TCP_DENIED/407 0 CONNECT tunnel://www.eventtouch.eu:443/

- NONE/- - OTHER-NONE-All_Authenticated_Users-NONE-NONE-NONE-NONE

<-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"

-","-" > - "10.63.132.227"

working

1383782479.285 547 10.63.132.227 TCP_CLIENT_REFRESH_MISS/200 3814 CONNECT

tunnel://www.eventtouch.eu:443/ "**********\1028009@**********" DIRECT/www.eventtouch.eu

application/octet-stream

DEFAULT_CASE_12-Default_DOWNLOAD_Internet_Access_Policy-All_Authenticated_Users-NONE-NONE-

NONE-DefaultGroup

thanks again

0 Helpful

Vance Kwan
Cisco Employee
Cisco Employee
In response to mulhollandm

‎11-17-2013 12:31 AM

Based on the logs, it appears when it is not working, it needs authentication.  When it is working, authentication was not needed.

Do you think it is possible that when you open a new tab, you are hitting a home page that authenticates the user correctly?  Then when going back to the previous tab, you refresh, which no longer requires authentication since you did on the last tab?

-Vance

0 Helpful

mulhollandm
Level 1
Level 1
In response to Vance Kwan

‎11-17-2013 01:00 AM

vance

thanks again for replyingto my posts, its greatly appreciated

you're right in that the new tab opens to an intranet home page that authenticates the user - this works most of the time but not all

is there a resolution to this

i can't have an authentication bypass for https as it against policy

i don't have the https proxy enabled - would this help?

0 Helpful

Vance Kwan
Cisco Employee
Cisco Employee
In response to mulhollandm

‎11-17-2013 01:09 AM

Some sites just do not work with authentication and there is no way around it for now with your setup.

Right now, it sounds like that particular destination has trouble authenticating.  Are you able to bypass that site from authentication?

0 Helpful

mulhollandm
Level 1
Level 1
In response to Vance Kwan

‎11-17-2013 01:57 AM

vance

we're replacing currently replacing our existing bluecoats with ironports and this issue only happens with the ironports

the bluecoats go to the same sites and there are no issues

both systems use ntlm

if its not possible we may have to bypass but that adds extra overhead to manage

would using the context agent on ad server make an difference or using the httpsproxy?

thanks again for your help

0 Helpful

Vance Kwan
Cisco Employee
Cisco Employee
In response to mulhollandm

‎11-17-2013 09:12 PM

I don't think the Context Directory Agent will work for you since the request leaves your F5 load balancer with its own IP address.  The CDA will only work for you if the WSA receives the request with the true client IP.

Without comparing the packet capture with the capture from a Blue Coat, I wouldn't be able to explain why one works and the other one does not.

The CDA works by building a user to IP mapping as the users sign on to the domain..

0 Helpful

mulhollandm
Level 1
Level 1
In response to Vance Kwan

‎11-18-2013 12:45 PM

vance

again, many thanks for your patience

i might log a tac call for this as i can't allow anything to bypass authentication

i ran a packet capture on a client which had authentication issues and i can see the proxy sending back an authentication required message but nothing happens after that

there's no ntlm challenge or anything

i'll see what tac have to say

thanks again

0 Helpful
Customers Also Viewed These Support Documents