No access though SWG proxy following upgrade to 5.1.1.
Last Updated January 13, 2014
Following an upgrade to SWG 5.1.1 users can no longer access sites through the SWG proxy. The SWG will successfuly respond with the block page for sites that are blocked however.
Clients will not receive an error message from the SWG but may receive a timeout error from the browser.
SWG 5.1.1 changed the behavior of the "X-Forwarded-for" HTTP header. In previous versions the "X-Forwarded-for" header would contain the IP of the proxied client. In 5.1.1 this value has been changed to "unknown". This may cause an issue with some Intrusion Prevention Systems (IPS). For example you may see a rule triggered on the IPS with information such as "
HTTP Server X-Forwarded-For Denial-of-Service" with a source IP of the SWG.
The default Forwarded-For setting has been changed to "delete" in SWG 5.2. This deletes the entire X-Forwarded-For header which resolves this problem. SWG 5.2 will be generally available from late January 2014.
SWG in proxy or inline+proxy mode.
Imported Document ID: TECH211188
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe