ProxySG & Advanced Secure Gateway

Hi !
I tried to restrict the internet access based on the user agent where only IE and Edge is allowed except for the specific ad group where chrome and firefox is also allowed.

This policy is working well for all the https sites but for the http sites. I found the difference in the user agent string information in the policy trace.But when i checked the browser developer tools, there is no change in the User-Agent. 

HTTP Request

GET http://www.example.com/favicon.ico
DNS lookup was unrestricted
Accept-Encoding: gzip
Accept-Encoding: deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 999.1; Unknown)
user: name="xxx\yyyy" realm=IWA_DIRECT
authentication start 0 elapsed 0 ms
authorization start 0 elapsed 0 ms
authentication status='none' authorization status='none'
user: authenticated=true authorized=true relative username='xxxx'
verdict: DENIED: Either 'force_deny' or 'force_exception' was matched in policy

HTTPS Request

GET https://www.google.com/complete/search?client=firefox&q=www
DNS lookup was unrestricted
rewritten URL(s):
cache_url/server_url/log_url=https://www.google.com/complete/search?client=firefox&q=www&safe=active
origin server next-hop IP address=172.217.21.36
Accept-Encoding: gzip
Accept-Encoding: deflate
Accept-Encoding: br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0

Thanks,
Sriram

Hello Sriram,

In case with the HTTP request showing the different user agent header, what you see in the policy trace is what proxy has received from the end user PC, as that is what policy trace uses to populate.
To confirm that the different header is coming from the PC you can take a pcap on the proxy for the HTTP request to see if in the pcap the header looks the same as in the trace : User-Agent: Mozilla/4.0 (compatible; MSIE 999.1; Unknown)
If the agent string is the same as above, then you could file a bug with the Firefox dev team for difference in the behavior, or if you still would like a match then you will need to use the "Request Header" condition in the proxy policy with the regex for "MSIE 999" or "Mozilla".

The latest version of the Firefox is showing this header in both cases HTTPS and HTTPS over the wire: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

I hope this helps.
Slava V


Original Message:
Sent: 07-19-2020 01:47 AM
From: Sriram Purusothaman
Subject: http sites are not working with the User Agent restriction policy

Hi !
I tried to restrict the internet access based on the user agent where only IE and Edge is allowed except for the specific ad group where chrome and firefox is also allowed.

This policy is working well for all the https sites but for the http sites. I found the difference in the user agent string information in the policy trace.But when i checked the browser developer tools, there is no change in the User-Agent.

HTTP Request

GET http://www.example.com/favicon.ico
DNS lookup was unrestricted
Accept-Encoding: gzip
Accept-Encoding: deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 999.1; Unknown)
user: name="xxx\yyyy" realm=IWA_DIRECT
authentication start 0 elapsed 0 ms
authorization start 0 elapsed 0 ms
authentication status='none' authorization status='none'
user: authenticated=true authorized=true relative username='xxxx'
verdict: DENIED: Either 'force_deny' or 'force_exception' was matched in policy

HTTPS Request

GET https://www.google.com/complete/search?client=firefox&q=www
DNS lookup was unrestricted
rewritten URL(s):
cache_url/server_url/log_url=https://www.google.com/complete/search?client=firefox&q=www&safe=active
origin server next-hop IP address=172.217.21.36
Accept-Encoding: gzip
Accept-Encoding: deflate
Accept-Encoding: br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0

Thanks,
Sriram