When going to www.campusship.ups.com through the ProxySG the page may not load or is slow to respond. The proxy is configured in a transparent deployment. Problem does not happen when the web browser is configured in an explicit manner.
The cause of the problem is that there is no PTR record for reverse DNS lookup of www.campusship.ups.com. Please see the additional details section below for full details.
To resolve the problem, do not perform reverse DNS lookups for the www.campusship.ups.com IP addresses. Please do the following:
1.) Go to the Management Console (https://<ip.address.of.proxysg>:8082) on the ProxySG
2.) Go to the Configuration tab > Policy > Visual Policy Manager > Launch
3.) Click on Configuration from the menu bar
4.) Select Set Reverse DNS Lookup Restriction
5.) With the Listed Subnet radio button enabled in the top section, click the Add button
6.) In the dialog box enter the IP address 126.96.36.199 and subnet mask of 255.255.255.255
7.) Click Add button
8.) Enter IP address 188.8.131.52 and subnet mask 255.255.255.255
9.) Click OK
10.) Click Install Policy and OK
NOTE: The above IP addresses were associated with www.campusship.ups.com at the time this article was written (11DEC2009), but may have changed. To be sure you are entering the valid IP addresses, please perform an "nslookup" on the hostname to verify.
For those that are using Threatpulse (Blue Coat Cloud), please see
When the ProxySG is configured to allow or deny access to URL's, it must determine the hostname of the site being requested. When it is an HTTP site, the proxy simply observes the HTTP request headers to determine the host. However, since www.campusship.ups.com redirects to an HTTPS URL, the communication will be encrypted via SSL. Since the communication is encrypted, the proxy is unable to observe the HTTP headers until the SSL traffic is intercepted/decrypted (if configured). However, this does not happen until after the initial policy evaluation. So when hostname/URL policy is present, the proxy must resort to alternative methods for determining the hostname of the destination upon policy evaluation. One method is to perform a reverse DNS lookup on the destination IP address provided by client. Since Reverse DNS queries for www.campusship.ups.com fail with no response, this will result in a timeout when the proxy is performing a lookup.
This issue only applies to transparent proxy configurations. In an explicit proxy configuration even after being redirected to HTTPS, the client sends the proxy an HTTP CONNECT request for establishing the SSL connection. This request provides the hostname of the server, thus the proxy does not need to perform a reverse DNS lookup.
Also, please note that www.campusship.ups.com is only used as an example since this issue is frequently reported with this site. However, keep in mind that this same problem can happen with any SSL site that has a hostname with no PTR record and there is hostname based policy present on the ProxySG.
Imported Document ID: 000012779
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.