Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
New Member

Strategy for dealing with crl.verisign.com?

We have several systems on our network that utilize a hosted service to check gift card balances, etc.  These devices normally use a custom TCP port to access the hosted server w/o issue.

However, occasionally these devices attempt to verify the hosted provider's server's certificate and hit TCP 80 (which we redirect to our Ironport) by sending a request to Verisign's CRL servers.  This causes the Ironport to force an authentication requirement and causes the devices to fail.

Has anyone come up with a strat to deal with this?  There are too many addresses within Verisign's CRL server list to add manually (and querying the A records isn't possible).

I've tried manually bypassing auth for the following but it still fails 1/2 the time (until the terminal attempts to connect to one of the allowed systems).

verisign.com, verisign.com, .verisign.net, verisign.net, 199.7.80.0/24, 199.7.78.0/23, 199.7.48.0/20, 199.7.71.0/24, 199.7.72.0/22, 199.7.76.0/24, 199.16.80.0/20

Any ideas of a better way to approach this?

4 REPLIES
New Member

Strategy for dealing with crl.verisign.com?

For now, I've created the following custom URL catagory based off the ARIN list of ALL Verisign addresses.

I'll report back if it helps resolve the issue.

199.16.80.0/20,   199.7.48.0/20,   192.55.83.0/24,   192.58.128.0/24,   192.26.92.0/24,   192.31.80.0/24,   192.42.93.0/24,   192.43.172.0/24,   192.5.6.0/24,   192.35.51.0/24,   192.33.14.0/24,   192.54.112.0/24,   192.41.162.0/24,   192.52.178.0/24,   192.12.94.0/24,   192.48.79.0/24

New Member

Working on something similar

Working on something similar and came across this list from Symantec -

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO11288&actp=search&viewlocale=en_US

Hope this help. Can you confirm the only traffic seen outbound from a client was across TCP 80 (http)?

 

 

New Member

Thanks!  How did this work

Thanks!  How did this work out for you?  We're still struggling with the issue occasionally.

 

Unfortunately, I've noticed the link is no longer working properly.

 

Re: Strategy for dealing with crl.verisign.com?

Figure out what the user agent is for the app, and turn off auth for it instead of tracking down the ips on either end of the conversation...

Sent from Cisco Technical Support iPad App

911
Views
0
Helpful
4
Replies
CreatePlease to create content