web protect breaks some websites

Hi,

I don't fully understand? What you mean I think is you are using the http proxy in either full or transparent mode?

When you enable transparent mode what do you allow and do you have any exceptions in place? If using full mode how are you providing the .pac file and what is in your pac file or do you manually configure each web browser and put firewall blocks for http protocols?

Sorry I probably should have added more info

1) we don't use full only standard we have not configured a proxy or Transparent /with Cert installed

2) I have not set any exceptions and for testing purposes I have only one site blocked (www.sears.com)

3) I don't understand your last question about the web browsers but i have not configured anything on them on my local machine I've installed thee pk12 cert in the trusted root group 

(small office of about 25 users)

Hi, Robert, this is the first thread I've seen from you - welcome to the UTM Community!

In Transparent mode, the client PC gets name resolution.  In Standard mode, the UTM gets name resolution.  Check the Firewall log to see if your PC's request for DNS is being blocked.  I doubt that will be it, but it's a place to start.

Cheers - Bob

Thank you BAlfson,

Not new I just haven't been back to the forums since the astaro forums got shut down (not really sure I like the new forum but beggars can be choosers I suppose)

I will test this when I can its hard because it breaks the entire office anytime I go to test so i have to do it at night which I am not a big fan of.

I turned off DNS SEC and it works

is this a bug?

More than likely you have an incorrectly configured DNS or at least one not setup to use DNS SEC.

sg210  9.10

we are using google dns 8.8.8.8  8.8.4.4

You are not using the UTM as a DNS?

I checked my UTM and have DNS SEC enabled for my ISPs DNS without errors. I did find that I have a mail server issue, the ISP has provided the wrong details on their website.

I have added 8.8.8.8 to my UTM DNS forwarders and the are no errors. I will add 8.8.4.4 and see what happens.

Found that 8.8.8.8 is about 300msec away while 8.8.4.4 is only 30msec away. That might be your issue.

Ian, I wonder if that time difference doesn't represent the load.  Whether most everyone puts 8.8.8.8 first.  Anyway, several years ago, I started using an Availability Group with 8.8.4.4 first.

Cheers - Bob

Bob, if the load is that high the server takes too long to respond then the user will get a site not available response from my limited experience on debugging DNS issues.

Not that it takes too long to respond, Ian, but that 8.8.4.4 usually responds in half the time when I've measured it from client sites across the USA.

Cheers - Bob

Not that it takes too long to respond, Ian, but that 8.8.4.4 usually responds in half the time when I've measured it from client sites across the USA.

Cheers - Bob

i was thinking about this today

our structure is

client ===> internal AD server DNS====> sg210====> 8.8. whatever

That looks perfect, Robert.  I haven't played enough with DNSSEC to be able to suss out your configuration challenge as Ian suggests.

Cheers - Bob