Secure One Services Group

 View Only
  • 1.  ProxySG | Please help to see access logging

    Posted Dec 16, 2017 05:53 AM

    Hi All,

    Please help to see access logging why have authentication fail so much and have error http 407.

    Client authentication via IWA Realm and computer is join domain.

    but client normal access to internet but first time access website it so slowly. you can see from attach file.

    in attach files have access logging and CPL.

    Attachment(s)

    txt
    accesslog_proxy01(2).txt   1.37 MB 1 version
    txt
    sysinfo_proxy1.txt   4.76 MB 1 version


  • 2.  RE: ProxySG | Please help to see access logging
    Best Answer

    Posted Dec 17, 2017 04:32 AM

    Hi Chakuttha,

     

                       As you know, 407 messages are for proxy authentication challenges. Depending on the authentication mechanism in place, there will 1 or 2 authentication response of 407 could occur per web request which needs authentication to get through. For Basic or Kerberos authentication, the number of 407's will be 1 when NTLM will need two 407s to complete authentication. I have extracted an access-log entry from your log file and it shows the two 407s I am mentioning.

     

    2017-12-15 16:19:26 1 172.23.8.212 - - authentication_failed DENIED "o356;Non-Viewable/Infrastructure" -  407 TCP_DENIED CONNECT - tcp sls.update.microsoft.com 443 / - - - 172.16.1.188 306 85 - "Microsoft Update" "Update Software"
    
    2017-12-15 16:19:26 2 172.23.8.212 - - authentication_failed DENIED "o356;Non-Viewable/Infrastructure" -  407 TCP_DENIED CONNECT - tcp sls.update.microsoft.com 443 / - - - 172.16.1.188 489 174 - "Microsoft Update" "Update Software"
    
    2017-12-15 16:19:26 4 172.23.8.212 v05082$ - policy_denied DENIED "o356;Non-Viewable/Infrastructure" -  403 TCP_DENIED CONNECT - tcp sls.update.microsoft.com 443 / - - - 172.16.1.188 184 738 - "Microsoft Update" "Update Software"

     

    All the three request is see is for a single attempt of an application to get through the ProxySG. Two 407s are for authentication based on NTLM and 3rd one is the Denial as the client got authenticated with its machine account (Not user account). 

     

    The authentication method used is Proxy-IP but I don't see the Auth best practise in place. Do have a check on article https://support.symantec.com/en_US/article.TECH242310.html and add the attached file (in the article) to your local policy file.



  • 3.  RE: ProxySG | Please help to see access logging

    Posted Dec 17, 2017 05:07 AM

    Hi Aravind,

    <Proxy>
           condition=userAgentList authenticate(no) allow
    	   condition=DoNotAuthDomains authenticate(no) allow
    	   condition=DoNotAuthActions authenticate(no) allow ; Remove "allow" if POST & PUT operations are controlled via different policy.
    	   condition=IWA_SILENT_USERS deny.unauthorized 
    
    define condition userAgentList
    request.header.User-Agent="Microsoft-CryptoAPI" 
    request.header.User-Agent="MSUpdate"
    request.header.User-Agent="AVUpdate"
    request.header.User-Agent="iTunes"
    request.header.User-Agent="iphone" 
    request.header.User-Agent="ipad"
    request.header.User-Agent="Stocks" 
    request.header.User-Agent="CFNetwork"
    request.header.User-Agent="Windows-Media-Player"
    request.header.User-Agent="NSPlayer"
    request.header.User-Agent="flash"
    request.header.User-Agent="Office"
    request.header.User-Agent="webex utiltp" 
    request.header.User-Agent="241Extra!"
    request.header.User-Agent="Acrobat Messages Updater"
    request.header.User-Agent="Adobe Log Transport"
    request.header.User-Agent="Adobe Update Manager"
    request.header.User-Agent="Microsoft BITS"
    request.header.User-Agent="Microsoft Data Access Internet Publishing Provider Protocol Discovery"
    request.header.User-Agent="Microsoft-CryptoAPI"
    request.header.User-Agent="Microsoft-WebDAV"
    request.header.User-Agent="Windows-Update-Agent"
    request.header.User-Agent="ncsi"
    request.header.User-Agent="TMUFE"
    request.header.User-Agent="62691CB3BF62DAF233FB2C02782E7BD2"
    end
    
    define condition DoNotAuthDomains
    url.domain=msftncsi.com  						; url used by windows vista/7/8 to verify network connectivity
    url.domain=crl.microsoft.com  					; microsoft ssl cert verification url
    url.domain=mscrl.microsoft.com  				; microsoft SSL cert verification URL
    url.domain=verisign.com  			   			; SSL verification url used by IE 8/9
    url.domain=watson.microsoft.com     			; microsoft URL used to report OS failures
    url.domain=trendmicro.com			 			; trend micro AV update
    url.domain=update.nai.com						; McAfee AV update
    url.domain=update.symantec.com 					; Norton/Symantec AV update 
    url.domain=acs.pandasoftware.com 				; Panda AV update
    url.domain=secure.pandasoftware.com 			; Panda AV license/Software update
    end
    
    define condition DoNotAuthActions
    http.method=POST
    http.method=PUT
    end
    
    
    define condition IWA_SILENT_USERS
    user="NT AUTHORITY\anonymous logon"
    user.regex='.+\$$' 
    end

     

     

    from attach file in article i must revise about defind condition useragent and donotauthsdomain right? before install to local policy.

     



  • 4.  RE: ProxySG | Please help to see access logging

    Posted Dec 17, 2017 09:37 AM

    Hi Aravind,

    If i set action in rule policy to Do not force IWA for Server Auth  it will be workaround for this case?



  • 5.  RE: ProxySG | Please help to see access logging

    Posted Dec 17, 2017 10:25 AM

    Hi Chakuttha,

     

                   That option is for proxy to "not" convert the authentication prompt of server to 407. This is not related to our case. The authentication best practice is normally a safe one to add as is unless you have specific policies which might be affected by this. 



  • 6.  RE: ProxySG | Please help to see access logging

    Posted Dec 17, 2017 10:50 AM

    Aravind

    if i cannot do following best practice. Bute i have concern about Skype for Business.

    my customer can sign in to SfB and normal to use it but cannot only share file on meeting

    do you have any workaround of this case recommend to me? do not authen or something else.



  • 7.  RE: ProxySG | Please help to see access logging

    Posted Dec 17, 2017 10:53 AM

    tomorrow afternoon i must go to Exam Certificate but on morning i have meeting with customer about this case.

    please help recommend to me.



  • 8.  RE: ProxySG | Please help to see access logging

    Posted Dec 17, 2017 10:00 PM

    Hi Chakuttha,

     

                   For SfB (Skype for Business) and O365, we have a web guide with recommendations. Please find the same at https://origin-symwisedownload.symantec.com/resources/webguides/sgos/O365/0365Dash.htm . Refer the SfB section for policies which will help you and customer.



  • 9.  RE: ProxySG | Please help to see access logging

    Posted Dec 17, 2017 11:23 PM

    Aravind,

    I cannot do following that article because Customer don't intercept SSL.

    but it ok i will fix first issue about Authen failed many traffic.