How multiple domain name work in DNS feature

I need a solution

Hi

I have 6 internal DNS servers which own internal domain names. I have divided the domain name for each DNS server in proxy because it can specify with maximum 8 domain names. My problem is when I add one of my domain in the D group (As picture below), proxy status become warning (In the D group has 1 domain previously) but when I remove it, proxy status become OK. After that I put this one problem domain in the C group, proxy status still OK.

So I decide to put the problem domain name back to group C and run capture packet in proxy. It seems proxy lookup only one domain name in the list and not the problem domain. Then I put the problem domain name in the group D and run capture packet. Proxy lookup the problem domain and status turn warning.

Group C have 7 domain names in the list and Group D has only 1 domain name in the list (This is exclude the problem domain).

I have test lookup A record from my computer for this domain name using all DNS servers and the result is the same.

This is why I wonder how Domains in DNS feature works and not sure the problem I have face is normal behavior of the proxy.

Apologize for bad grammar 🙁

0

1569392681

Related:

Citrix ADC SSLVPN Counters

This article contains information about the newnslog SSLVPN counters and its brief description.

Using the Counters

Log on to the ADC using an SSH client, change to SHELL, navigate to the /var/nslog directory, and then use the ‘nsconmsg’ command to see comprehensive statistics using the different counters available. For the detailed procedure refer to Citrix Blog – NetScaler ‘Counters’ Grab-Bag!.

The newnslog SSLVPN counters

The following table lists the newnslog SSLVPN counters with a simple description of the counter.

newnslog counter

Description

svpn_login_html_hit

Number of requests for VPN login page

svpn_minihttpd_fail

Number of failures to display VPN login page

svpn_cfg_html_hit

Number of client configuration requests received by VPN server

svpn_dns_hit

Number of DNS queries resolved by VPN server

svpn_wins_hit

Number of WINS queries resolved by VPN server

svpn_cs_hits

Number of SSL VPN tunnels formed between VPN server and client

svpn_cs_nonhttp_probes

Number of probes from VPN to back-end non-HTTP servers that have been accessed by the VPN client

svpn_cs_http_probes

Number of probes from VPN to back-end HTTP servers that have been accessed by the VPN client

svpn_cs_con_hits

Number of successful probes to all back-end servers

svpn_fs_hits

Number of file system requests received by VPN server

iip_tot_no_iip_config_no_mip

Both IIP and MIP is disabled

iip_tot_no_iip_config_no_tfr_no_mip

Number of times IIP assignment failed and MIP is disabled

iip_tot_no_iip_config_uses_mip

Number of times IIP assignment failed and MIP is disabled

iip_tot_iip_config_uses_mip

Number of times MIP is used as IIP assignment failed

iip_tot_iip_config_spillover_uses_mip

Number of times MIP is used on IIP Spillover

socks_method_req_recvd

Number of received SOCKS method request

socks_method_req_sent

Number of sent SOCKS method request

socks_method_resp_recvd

Number of received SOCKS method response

socks_method_resp_sent

Number of sent SOCKS method response

socks_connect_req_recvd

Number of received SOCKS connect request

socks_connect_req_sent

Number of sent SOCKS connect request

socks_connect_resp_recvd

Number of received SOCKS connect response

socks_connect_resp_sent

Number of sent SOCKS connect response

ipv6to4_map_insert_err

Number of Ipv6 to Ipv4 mapping Insert Errors

ipv6to4_findv6map_err

Number of IPv6toIPv4 find IPv6 mapping errors

parse_ipv6_addr_err

Errors in parsing for Ipv6 address from address string

socks_server_err

Number of SOCKS server error

socks_client_err

Number of SOCKS client error

sta_connect_success

Number of STA connection success

sta_connect_failure

Number of STA connection failure

cps_connect_success

Number of CPS connection success

cps_connect_failure

Number of CPS connection failure

sta_req_sent

Number of STA request sent

sta_resp_recvd

Number of STA response received

sta_renew_req_sent

Number of STA renew requests sent

sta_renew_resp_recvd

Number of STA renew response received

sta_response_reassembly_err

Number of STA response reassembly errors

sta_renew_no_client

Number of STA renew repsonse for missing clients

sta_renew_missing_refresh

Number of STA renew response missing refresh values

sta_validate_no_client

Number of STA validate response for clients that have already closed

sta_validate_not_established

Number of STA validate responses for clients not in TCP ESTABLISHED state

sta_mon_req

Number of STA monitor requests sent

sta_mon_recvd

Number of STA monitor responses received

sta_mon_success

Number of STA monitor successful responses

sta_mon_failure

Number of STA monitor failed responses

ica_license_failure

Number of ICA license failure

dtls_sta_validate_req

Number of STA validation requests on DTLS

dtls_sta_validate_err

Number of STA validation request errors on DTLS

dtls_sta_reconnect_tkt_req

Number of STA Reconnect ticket requests on DTLS

dtls_sta_postrsp_success

Number of Successful STA Validations done on DTLS

dtls_sta_postrsp_err

Number of errors during STA Validations on DTLS

turn_active_client_listeners

Number of active turn client listeners

stun_active_client_listeners

Number of active stun client listeners

turn_active_internal_listeners

Number of active turn internal listeners

turn_active_peer_listeners

Number of active turn internal listeners

turn_tot_preamble_received

Total number of preamble received on DTLS channel with STA ticket

turn_tot_preamble_sent

Total number of preamble sent on DTLS channel with STA reconnect ticket

turn_tot_allocate_req

Total number of turn allocate requests received

turn_tot_channel_bind_req

Total number of turn channel bind requests received

turn_tot_create_permission_req

Total number of turn create permission requests received

turn_tot_refresh_req

Total number of turn refresh requests received

turn_active_super_sessions

Number of active turn super sessions present

turn_active_client_sockets

Number of active turn client sockets held

turn_active_relay_sockets

Number of active turn relay sockets held

turn_active_permissions

Number of active turn permissions created

turn_active_channels

Number of active turn channels operating

turn_misc_active_counter

Total number of turn miscellaneous counters

turn_tot_misc_error

Total number of turn miscellaneous errors

turn_tot_internal_error

Total number of turn internal errors

Related:

  • No Related Posts

Reflect Client IP

I need a solution

Hi There,

Good Day,

I have one question, while deploying the proxy SG in transparent mode, there is a option reflect client IP. can some one please tell me how this works in detail. when it says that reflect client ip does that means proxy will spoof the client ip to send the request to the origin server, if yes should there be a policy created for each client ip in the firewall to allow the connection since the firewall will see the client ip.

please suggest how that works.

Thanks in advance.

Regards

Raj

0

Related:

CPL Transactions

I need a solution

Hello Guys,

i have a question and a concern regarding Transaction types in ProxySG, as i need to know how different transaction types as follow

http.proxy, http.refresh, http.pipeline, http.content-pull, http.document, http.internal, http.diagnostics, http.health-check, https.reverse-proxy, https.forward-proxy, https.refresh, https.pipeline, https.content-pull, https.document, https.diagnostics, https.health-checks, ftp.proxy, ftps, ftp.content-pull, mms.proxy, mms.noauth.proxy, mms.content-pull, mms.internal, rtmp.proxy, rtmp.content-pull, rtsp.proxy, rtsp.content-pull, rtsp.internal, aol-im.proxy, msn-im.proxy, yahoo-im.proxy, socks.proxy, socks.internal, tcp.tunnel, admin.https.cag, admin.http.cag, admin.telnet, admin.serial, admin.ssh, admin.https.init-cfg, admin.https.mgmt, admin.http.mgmt, admin.https.proxy-client, clientless, icp, dns.proxy, telnet.proxy, p2p.proxy, epmapper.proxy, epmapper.tunnel, ssl.intercept, ssl.tunnel, ssl.reverse-proxy, ssl.forward-proxy, msrpc.proxy, cifs.proxy, cifs.content-pull, ocsp.http, ocsp.https, icmp.health-check, tcp.health-check, ssl.health-check, srtr.health-check, authentication.health-check, dns.health-check, hsm.health-check, snmp, syslog.relay, webex.proxy, drtr.document, mapihttp.proxy, sip, sip-ssl, msturn

are mapped to the following trasaction classes: 

<Admin> <Cache> <DNS-Proxy> <Exception> <Forwarding> <Proxy> <SSL> <SSL-Intercept> <Tenant>

to finally know what VPM layers should be evaluated in every trasaction of these 74 trasactions

Thanks

0

Related:

Understanding Explicit HTTP Intercept Proxy Protocol

I need a solution

So I’m new to Blue Coat Proxy and proxies in general, but am an experienced network person. I work in a (new) environment where we use BC proxies; and browsers are essentially setup to use proxy TCP port 74. Likewise, in our BC, our proxy services Predefinied Service Group Explicit HTTP iis setup for Explicit port 74 and to intercept. 

If I look at my browser traffic on wireshark, I see unreadable/undecoded payload within TCP port 74. Is this SOCKS protocol? Or just HTTP within port 74 and wireshark doesn’t know how to decode it because it isn’t in it’s library? I believe the IT forefathers simply picked TCP port 74 as a tunneling protocol due to it’s liklihood of being unique in our environment. I’m just trying to understand what the protocol is between the browser and BC Proxy, or whether it’s simply HTTP tunneled between TCP port 74.

This is really bothering me that I don’t understand.

Thanks! 

0

Related:

ProxySG | IP Phone SIP Protocol cannot connect via Proxy

I need a solution

Dear All

  My customer would like to connect ip phone to cloud of ip phone system and it connect to proxy type explicit.

on ip phone can config to use proxy. we tried to test connect to internet but cannot connect.

for VPM policy we create exception for all of this ip phone already.

for check traffic on Proxy we not found active session from ip of ip-phone

and then we tried to check from error session we found error from ip of ip-phone

this detail of error session as below

Client    Server    A    S    FW    I    Duration    Client Bytes    Server Bytes    Savings    C    BC    OC    P    BM    Service Name    Application    Protocol    Detail    Age

10.223.176.32:39043        –    –    –    –    0 sec    1482    0    100%    –    –    OC (D)    P    BM (D)    Explicit HTTP    HTTP    HTTP(error) : “The request HTTP version is invalid”       2 sec

it have error The request HTTP version is invalid

Proxy IP: 10.180.192.100   IP-Phone IP:10.223.176.32

My customer use Proxy SGOS version 6.6.5.9   if would like more information please let me know.

Thank you so much for your help.

Best Regards,

Chakuttha R.

0

1546875335

Related:

Policies and Applications are not pushing to iOS devices from Xenmobile (Proxy Enabled Environment)

Since the XenMobile is configured with proxy, the traffic will go through proxy to the internet, hence if you have configured http or https with auth.

Image of proxy server setup

Image of proxy server setup

The following table for supported target types for each proxy server type.

Proxy type

Supported targets

SOCKS

APNS

HTTP

APNS, Web. PKI

HTTPS

Web, PKI

HTTP with authentication

Web, PKI

HTTPS with authentication

Web, PKI

Test by removing APNS from them and configure again either configure the proxy without auth or Enabled SOCKS on Proxy Server and add APNS under XenMobile CLI for APNS.

Note : Any changes in Proxy settings require reboot .

If you have configured APNS in multiple options like http/socks/https – it is advisable to use on of these since it will help in narrowing down the issue and having multiple proxy options for single component can create ambiguity .

The following table for supported target types for each proxy server type.

Proxy type

Supported targets

SOCKS

APNS

HTTP

APNS, Web. PKI

HTTPS

Web, PKI

HTTP with authentication

Web, PKI

HTTPS with authentication

Web, PKI

Related:

7021981: Connecting through a Firewall with Reflection FTP Client

Passive Mode FTP

Passive mode FTP transfers use only outward connections for both control and data connections. Reflection FTP uses passive mode by default. If you suspect your firewall is blocking inbound connections, follow the steps below to confirm that Reflection FTP Client is configured for passive mode connections.

  1. Start Reflection FTP Client.
  2. On the Connect to FTP Site dialog box, select the FTP site that you are connecting to, and then click Properties.
  3. In the Site Properties dialog box, click the Connection tab and confirm that the”Use passive mode” check box is selected.

SOCKS Proxy Server Firewalls

SOCKS proxy servers use the SOCKS protocol between the FTP client and the proxy server. Reflection FTP Client includes support for SOCKS servers.

To configure Reflection FTP Client to support a SOCKS proxy server, follow the steps below that correspond to your version of Reflection.

  1. Start Reflection FTP Client.
  2. In the Connect to FTP Site dialog box, select the FTP site that you are connecting to, and then click Security.
  3. Select the Proxy tab> Use proxy server> SOCKS. Click Configure.
  4. Enter the IP address of your SOCKS proxy server.
  5. Click OK to close the open dialog boxes, and then retry your connection.

See the product help for more information about configuring Reflection for multiple SOCKS proxy servers.

Common FTP Passthrough Server Firewalls

Passthrough servers differ from other proxy servers in that they use the FTP protocol to communicate between the FTP client and the firewall. To configure Reflection FTP Client to support common FTP Passthrough servers, follow the steps below.

  1. Start Reflection FTP Client.
  2. On the Connection menu, click Connect. In the Connect to FTP Site dialog box, select the FTP site that you are connecting to, and then click Security.
  3. On the Firewall tab, select the Use Firewall check box.
  4. In the Style drop-down list select the authentication style used by your server. For information about the available options, search on “Firewall Authentication Styles” in the product help.
  5. The Server name and User name fields on this tab become enabled or disabled depending on the authentication style you selected. Enter these values as required by your authentication type.
  6. If you want to avoid entering a required password for future connections, select “Save password” and then enter the password.
  7. If you are using the “username@servername” style and your passthrough server requires a login before the USER command, select the Passthrough authentication check box.
  8. Click OK to close all of the dialog boxes, and then retry your connection.

Uncommon FTP Passthrough Server Firewalls

There is no industry-standardized format for connecting through an FTP passthrough server. Because of the wide variation in authentication methods, you may need to experiment with the information you enter in the passthrough server and general site properties fields in Reflection.

For example, you may need to enter your firewall user name instead of your FTP server user name on the General tab of the Site Properties. Consult your firewall documentation for the required syntax.

HTTP Proxy Server Firewalls

Some firewalls support HTTP proxy connections. To configure the FTP Client to use an HTTP proxy:

  1. Start Reflection FTP Client.
  2. In the Connect to FTP Site dialog box, select the FTP site that you are connecting to, and then click Security.
  3. Select the Proxy tab > Use proxy server > HTTP. Click Configure.
  4. Enter connection information for your HTTP proxy server.
  5. Click OK to close the open dialog boxes, and then retry your connection.

Related:

Implementing SOCKS IWA authentication – side effects on normal web browsing auth.?

I need a solution

Hi everyone,

I’m trying to set up SOCKS IWA authentication on our ASG-400 proxies. Basically, I’ve managed to make it work and I tested it OK. However, when I ran my tests I’ve noticed a strange behaviour on normal browsing authentication with any web browser except for IE.

When I set the SOCKs auth layer on, I was able to connect using Filezilla and SOCKS5 proxy to some SFTP server with my AD login. Everything seemed OK. However, right after the Filezilla connection, I’ve tried to log off my IWA session (using the dedicated Authentication webpage in the GUI) and I’ve attempted some normal web browsing with Chrome, Firefox or a Chrome fork (Vivaldi). Every time, I was prompted by the web browser to log on the proxy with my AD account. However, AD auth. is normally always transparent on our proxies and have always worked fine. I’ve made a couple of tries with IE and I did not get the same behaviour. On IE, I was not prompted and was able to browse any site immediately. I then used another web browser and was not prompted anymore. Upon removing the SOCKS auth layer and going through the same steps, I stopped being prompted by any web browser.

I’ve tried to add a layer guard to the SOCKS authentication layer to ensure only SOCKS trafic goes through it (and normal web browsing only matches the normal IWA web auth layer). I’ve based the guard rule on some “proxy port 1080” object. It seems to work OK as I can see the rule/layer is tagged “miss” in a the policy trace when connecting via SOCKS. Still I get prompted for authentication on web browsers other than IE for normal web browsing.

I’m using the proxy-IP auth mode and I would like to keep it (less resource-consuming in our environment).

– Is there any special way to enable SOCKS IWA authentication along with Web browsing IWA authentication? Making sure both are not interferring with each other? (as far as the user experience is concerned)

Here’s how the CPL looks as far as layers go:

;; Tab: [Qradar]
<Proxy>
	[Logging_layer]
	
;; Tab: [Admin Authentication Layer]
<Admin>
	[admin-auth_layer]
	
;; Tab: [Admin Access Layer]
<Admin>
	[admin-access_layer]
	
;; Tab: [SOCKS Authentication Layer]
<Proxy> condition=__Proxy__P1080	; Guard Rule	
	socks.authenticate(IWA_XXX) socks.authenticate.force(no)	; Rule 1	
	
;; Tab: [SSL Intercept Layer]
<SSL-Intercept>
	[SSL-intercept_layer]
        [only a few IPs intercepted, mine included]

;; Tab: [SSL Access Layer]
<SSL>
	[SSL-access_layer]
	
;; Tab: [Web Authentication Layer]
<Proxy>
        [main_web-auth_layer]
        [main_rule_elow]
	authenticate(IWA_XXX)  authenticate.force(no) authenticate.mode(proxy-ip)	; Rule 4
	
;; Tab: [Web Access Layer]
<Proxy>
        [main_web-access_layer]
	
;; Tab: [explicit_blacklist]
<Proxy>
	<blacklist_layer>
	
;; Tab: [QoS-Shaping]
<Cache>
	<QoS_layer>
	
;; Tab: [Av-Request]
<Proxy>
	<AV-request_layer>

;; Tab: [AV-Response]
<Cache>
	<AV-response_layer>
	
;; Tab: [Tracing]
<Proxy>
	<tracing_layer>

Thanks in advance to anyone who’ll respond to this post.

Paul

0

Related: