Hello Jose,
It sounds like these are isolated cases , and if you can reproduce this issue on demand that is perfect as if you really want to get to the bottom of this , here is what i would recommend.
1. Gather proxy packet capture and policy traces while accessing the same web site from a user that does not have any issue.
2. Gather proxy packet capture and policy traces while accessing the same web site from a user that has the issue.
You can also try disabling first the Proxy Authentication for that source client IP , then SSL Decryption and see what of solved the issue, and that should at list give you a hint on where the issue issue.
The packet capture filter should include the source client IP and the destination web site FQDN and the internal .
The Policy trace can be configured based on the source IP of the client.
Comparing the gathered date should assist you in solving this mystery.
Slava
Original Message:
Sent: 04-15-2021 09:50 AM
From: Jose Castro
Subject: ProxySG Transparent - Google Chrome
Over the past year, we have several users get errors from Google Chrome Browser when trying to access certain sites. The name of the Virtual URL is 'chi-bcoat' in transparent mode which Reverse Proxies to https://chi-bcoat:4443. A certificate is installed for the Reverse Proxy Service. Not everyone has this issue, as a matter of fact, there is only a handful out of about 3000 clients.
If the user is bypassed from Proxy, everything works. So this is not Firewall. This doesn't not happen in IE either.
Doing a trace log now but initially was not able to find any clues... Looking or chatter on Forums and found a couple of things:
Possible bug in Chrome's HSTS - help me confirm?
Google |
remove preview |
|
Possible bug in Chrome's HSTS - help me confirm? |
Our proxy doesn't issue Strict-transport-security headers, so I don't understand how it could have found its way into chrome's HSTS cache. I'm unable to replicate the problem, so I don't know under what conditions Chrome will add that host to HSTS. |
View this on Google > |
|
|
I hope to have logs sometime in the next day or two after testing specifics sites that break when trying to connect.