Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 10857 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Proxy

Daniel Schatz

Hi,

on my UTM 9.505-4 i have the following lines all over the web-protection log:

httpproxy[4888]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="read_request_headers" file="request.c" line="1586" message="Read error on the http handler 137 (Input/output error)"

we use the Web-Protection as parent Proxy four our internal squid-cache. the web-protection has no Cache, no blocked-sites, no authentication, no request-logging and works in non-transparent mode. its basically only for AV scanning on http and https. all the Caching, site-blocking and authentication happens on the squid Proxy.

the log-entries on the UTM are accompanied with the following log-lines in squid Proxy:

kid1| TCP connection to (Sophos-utm-ip)/8080 failed
kid1| TCP connection to (Sophos-utm-ip)/8080 failed
kid1| TCP connection to (Sophos-utm-ip)/8080 failed
kid1| TCP connection to (Sophos-utm-ip)/8080 failed
kid1| Detected DEAD Parent: (Sophos-utm-ip)
kid1| TCP connection to (Sophos-utm-ip)/8080 failed
kid1| TCP connection to (Sophos-utm-ip)/8080 failed
kid1| Detected REVIVED Parent: (Sophos-utm-ip)

everytime this happens, users experience great delays in web-Surfing. sites not responding and so on...it just happens for a few seconds before everything goes back to normal.

if we let squid handle all the Surfing without UTM as parent proxy the Problem is gone. so it's def an UTM issue.

squid config line for parent proxy:

cache_peer (Sophos-utm-ip) parent 8080 0 no-query no-digest default
never_direct allow all

any ideas?

best regards, daniel



This thread was automatically locked due to age.
Parents
  • 0

    just to answer my own question:

    this was coming from TeamViewer connecting to multiple ip addresses via 443 instead of using names.
    if you enabled SSL scanning this generates error log entries.
    for now we could solve this by generating an exception-list with all this IP's disabling SSL cert checks.

Reply
  • 0

    just to answer my own question:

    this was coming from TeamViewer connecting to multiple ip addresses via 443 instead of using names.
    if you enabled SSL scanning this generates error log entries.
    for now we could solve this by generating an exception-list with all this IP's disabling SSL cert checks.

Children
  • 0 in reply to Daniel Schatz

    The only time that I have seen the symptom "input/output error", it was also related to certificate problems -- sites that could not do tls1.2 when the weaker protocols were disabled for UTM https inspection.

    There are a lot of TeamViewer servers in multi countries, so it will take a while to list them all in your exceptions.

    I hope you are also using UTM to block sites with bad reputation, suspicious and below.

  • 0 in reply to DouglasFoster

    we do all the blocking with squid and squidguard, also based on categories and black/whitelists. it's basically the same as blocking on the UTM.
    it's just easier to consolidate all web based regulatories on one Proxy.
    We use AV scanning on the UTM before web-content enters the cache in squid and then stays there already scanned.

    regarding the 200+ IP's for TeamViewer data-centers (unable to maintain a consistent exception list because IPs change or get added) we looking into 2 possible ways to go. one could be to make regular-Expression based exceptions on the UTM (https://\d+(\.\d+){3}/) which disables cert-check for all IP-based SSL URLs. not pretty, but does the Job.
    a second way would be to filter based on the user-Agent, as i have read somewhere that TeamViewer uses "DynGate" as user-Agent. but can't confirm as i didnt test yet.

     

  • 0 in reply to Daniel Schatz

    You may want to upgrade.   I just noticed this bug fix in  9.506

     

    NUTM-8826 [Web] Teamviewer via Standard Mode with AD-SSO not possible since v9.502

Unfiltered HTML