Edge SWG (ProxySG) not serving the Notify User page when the default policy set to Deny
search cancel

Edge SWG (ProxySG) not serving the Notify User page when the default policy set to Deny

book

Article ID: 167630

calendar_today

Updated On:

Products

SGVA ISG Proxy Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

 The Notify User action object does not modify the Allow or Deny states; therefore, it requires that the request hit an allow rule before the user is served with the notify user page.

 
Without an Allow Policy:
 
start transaction -------------------
  CPL Evaluation Trace: transaction ID=7504
           <Proxy>  condition=!__is_notify_internal 
    MATCH:     trace.request(yes) trace.rules(all) trace.destination(1234) 
           <Proxy "handle HTML Notification internal requests">
           [Rule]  url=http://notify.bluecoat.com/ 
    miss :     url=http://notify.bluecoat.com/
           [Rule]
    miss :     url=http://notify.bluecoat.com/
           [Rule]
    miss :     url=/notified-NotifyUser1?
    miss :     url=/verify-NotifyUser1?
    miss :     url=/verify-NotifyUser1?
           [Rule]
    MATCH:     action.__delete_notify_cookies(yes) 
           <Cache "suppress DRTR for HTML Notification internal URLs">
    miss :     condition=__is_notify_internal
  connection: service.name=Explicit HTTP client.address=10.105.0.128 proxy.port=8080
  time: 2011-01-11 03:43:53 UTC
  GET http://www.example.com
Cookie: PREF=ID=ff75e69b4f124e6c:U=7c97850933b01c6b:FF=0:TM=1293123577:LM=1293123577:S=ogNAFri8QKBYVybb
Cookie: NID=42=BDB00PAAz_RoT4NoNU2c4R5I_DIi68lTxZ7WUDdpzUsYNGW425YlMWb72BXODBxXHQYTKZY7Asei6nQY4cBRowwM7X5GS5c6HVVyI2fpdUxFFbv-V9mtrdhIlX0NtMsJ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729)
  user: unauthenticated
  DENIED: Default secure policy mode           <----------------- Hitting the default DENY Policy
  DSCP client outbound: 65
  DSCP server outbound: 65
 
stop transaction --------------------
 
With an ALLOW policy:
 
start transaction -------------------
  CPL Evaluation Trace: transaction ID=7545
           <Proxy>  condition=!__is_notify_internal 
    MATCH:     ALLOW policy.NotifyUser1           <----------------- Hitting ALLOW Policy
           <Proxy>  condition=!__is_notify_internal 
    MATCH:     trace.request(yes) trace.rules(all) trace.destination(1234) 
           <Proxy "handle HTML Notification internal requests">
           [Rule]  url=http://notify.bluecoat.com/ 
    miss :     url=http://notify.bluecoat.com/
           [Rule]
    miss :     url=http://notify.bluecoat.com/
           [Rule]
    miss :     url=/notified-NotifyUser1?
    miss :     url=/verify-NotifyUser1?
    miss :     url=/verify-NotifyUser1?
           [Rule]
    MATCH:     action.__delete_notify_cookies(yes) 
           <Cache "suppress DRTR for HTML Notification internal URLs">
    miss :     condition=__is_notify_internal
  Called policy definition: NotifyUser1
           <Proxy>
    MATCH:     condition=__NotifyUser1_should_notify action.__NotifyUser1_check_notify(yes) 
  connection: service.name=Explicit HTTP client.address=10.105.0.128 proxy.port=8080
  time: 2011-01-11 03:45:26 UTC
  GET http://www.example.com
Cookie: PREF=ID=ff75e69b4f124e6c:U=7c97850933b01c6b:FF=0:TM=1293123577:LM=1293123577:S=ogNAFri8QKBYVybb
Cookie: NID=42=BDB00PAAz_RoT4NoNU2c4R5I_DIi68lTxZ7WUDdpzUsYNGW425YlMWb72BXODBxXHQYTKZY7Asei6nQY4cBRowwM7X5GS5c6HVVyI2fpdUxFFbv-V9mtrdhIlX0NtMsJ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729)
  user: unauthenticated
  REDIRECT(policy_redirect)
  redirect location=http://notify.bluecoat.com/notify-NotifyUser1?http/www.google.com.my/aHR0cDovL3d3dy5nb29nbGUuY29tLm15Lw== (302) <----------------- Redirected to Notify User Page
 
  DSCP client outbound: 65
  DSCP server outbound: 65
 
stop transaction --------------------
 
 

Cause

When you add a rule to notify user, it comes with a notifiable condition. Notify user rule will only work if it matches the condition below, one of them is http.response.code = 200 (i.e. the flow should 'Allowed' for the 'notify_user' to work. Please also look at other conditions, those may also have an impact.

From the Policy Trace, you may see this:

Called policy definition: NotifyUser1
        <Proxy> [vpm-cpl:45655]
  miss:     condition=__NotifyUser1_should_notify 

And from sysinfo:

define condition __NotifyUser1_should_notify
    condition=__is_notifiable \
    condition=!__is_notify_internal \
    request.header.Cookie=!'notified-NotifyUser1=1'
end

define condition __is_notifiable
    url.scheme=(http,https) \
    http.method=GET \
    request.header.User-Agent = '^(Mozilla|Opera)' \ 
    request.header.Range = !'' \
    request.header.If-Range = !'' \
    http.response.code = 200 \ 
    response.header.Content-Type='text/html'
end

Resolution

You must be aware of the conditions above and make sure it matches the conditions above. If you have Default Deny Policy, add an 'ALLOW' rule for the flow in Web Access Layer, e.g. WebAccessLayer(1), then you can add the Notify User rule in the next Web Access Layer, e.g. WebAccessLayer(2). 

Note: For the condition 'http.method=GET \' to match, the flow must be SSL intercepted/decrypted or else GET request will not be visible to the Edge SWG (ProxySG).

Powered by Wolken Software