ProxySG & Advanced Secure Gateway

 View Only
Expand all | Collapse all

Websites are very slow with unified proxy agent for web filtering

  • 1.  Websites are very slow with unified proxy agent for web filtering

    Posted Aug 13, 2020 03:44 AM

    Hello,

    We are using Unified proxy agent for web filtering for Home users on company provided laptop and done below step:

    1: Prepare bundle of Unified Agent from on-premises bluecoat proxy ASG400 appliance including certificate and proxy IP.
    2: Install this bundle exe on all home users laptop.
    3: create policy in virtual policy manager for allowed category and Intranet URL's and Company VPN servers IP address and DNS.
    4: once agent installed on home user's laptop and user connect the company VPN proxy agent successfully sync the policy from on premise proxy appliance.
    5: unified proxy client download from the  on premise ASG400 appliance and client version 4.7.1.188819
    6: we don't have any cloud base proxy


    Problem:
    1: Web filtering works very very slow with Unified agent for Internet and Intranet both when we disable the agent everything is working fine.

    2: How to upgrade unified agent version on ASG appliance and client machine

    3: our company using 107.x.x.x public IP schema non route able over internet so looking agent which bypass our IPs so any services hosted on these IPs will not intercept by unified agent for filtering.

    Please suggest if anyone faced similar issue and what would be solution also provide if any document / guide

     

     

    Thanks,

    Prem



  • 2.  RE: Websites are very slow with unified proxy agent for web filtering

    Broadcom Employee
    Posted Aug 13, 2020 12:15 PM
    Edited by Slava Aug 13, 2020 12:16 PM
    Hello Prem, 

    The separate upgrade for the Unified Agent  application for the on premises proxy is not available at this time. 

    Issues related to the UA are a bit of a challenge to troubleshoot here on the forum as perhaps you do not want to share here trace file from the UA etc , btw this what support will ask to gather: https://knowledge.broadcom.com/external/article?articleId=168727.

    I would recommend the following at this time.

    1. Make sure that PC was restarted after the UA was installed.
    2. Make sure the UA is enabled Active, start a packet capture on the PC and try to access a web site like example.com, calculate how many seconds it took to load, then stop the pcap.
    3. In the pcap see how much time has the  transaction took between the dns query and the http request to example.com, and then how much time it took from the SYN to the HTTP 200 OK for the http request.
    4. See if there is a DNS latency or a TCP Handshake latency, or a latency between the HTTP request and the HTTP 200 OK response.

    Finding out where the delay is may bring us closer to the root cause.

    I do hear what you are stating as when you disable the UA everything works fine, however in my many year of experience i have never seen the UA cause latency in browsing. However it is possible that there is a another application running on your computer and preventing the UA from operating properly.
    Would suggest going down the list of running applications including the Antivirus or VPN client etc and disable them, to see if perhaps one of them is the causing the issue.

    If none of the above perhaps helps , please log a technical case under the Broadcom Support Portal at https://support.broadcom.com/

    Slava V


  • 3.  RE: Websites are very slow with unified proxy agent for web filtering

    Posted Aug 14, 2020 12:19 AM
    ​Dear Slava,
    Thanks for your reply.

    We already open multiple cases on support portal. they check all configuration and log after that they confirmed that this product out of support as discard by OEM.
    request you please share if you have any document to match all step by step configuration on ASG appliance side.

    Also our organization using public IP schema 107.x.x.x for Intranet services, all intranet web services is running very very slow hosted on 107.x.x.x while web application working fine if hosted on 10.x.x.x IP,

    Please guide us also how to bypass our Intranet IP address (107.x.x.x)  from unified agent filtering and how to upgrade UA agent version.

    Thanks,
    Prem


  • 4.  RE: Websites are very slow with unified proxy agent for web filtering

    Posted Aug 14, 2020 04:38 PM
    Edited by Priyesh MP Aug 14, 2020 04:48 PM
    Dear Prem,

    I'm afraid that we can bypass IPs/URLs on Proxy Unified Agent. Since Proxy UA is a free solution comes along with ProxySG/ASG having limited features, we do not have much granular control here. And there is little option for us to interact with Proxy UA.

    As you are using Proxy UA version 4.7.1.188819, which is quite old, you may try to upgrade the UA to 4.10.x version on your proxy and check if this resolves your slowness issue. You can upload the 4.10.x UA Package (which contains Windows and Mac OS versions) to your ProxySG/ASG by navigating to Configuration > Clients > General > Client Software > Unified Agent. From there you can either use Remote URL or Local File option from the drop down menu to upload the latest UA Package to your ProxySG/ASG. Once you have upgraded the UA version on Client Manager (your ProxySG/ASG where UA option is enabled), all clients will get the latest version automatically after the clients connect with the Client Manager (UA connectivity with the Client Manger is a must either directly from the LAN or via VPN). Later users can upgrade the UA manually as per their convenience from UA console.

    Hope this helps!

    Thank you.

    Best Regards,
    Priyesh MP
    Solution Architect | Symantec Knight of the Year, Asia Pacific 2018
    Symantec Certified Specialist (in Blue Coat ProxySG)
    Softcell Technologies Global Pvt. Ltd.




  • 5.  RE: Websites are very slow with unified proxy agent for web filtering

    Posted Aug 18, 2020 01:53 AM
    Dear Priyesh,
    Thanks for your suggestion.
    Please guide me from where is can get the 4.10.x UA Package to upgrade on appliance.


    Thanks,
    Prem



  • 6.  RE: Websites are very slow with unified proxy agent for web filtering

    Posted Aug 21, 2020 05:28 AM
      |   view attached
    Dear Prem,

    Good day to you!

    I'm attaching the required file here. You may upload the same to your ProxySG/ASG by navigating to Configuration > Clients > General > Client Software > Unified Agent. From there you can choose Local File option from the drop down menu to upload the attached UA Package to your ProxySG/ASG.

    Hope this helps!

    Thank you.

    Best Regards,
    Priyesh MP
    Solution Architect | Symantec Knight of the Year, Asia Pacific 2018
    Symantec Certified Specialist (in Blue Coat ProxySG)
    Softcell Technologies Global Pvt. Ltd.

    Attachment(s)

    zip
    UnifiedAgent-4.10.1.219990.zip   13.86 MB 1 version


  • 7.  RE: Websites are very slow with unified proxy agent for web filtering

    Posted Aug 24, 2020 10:58 AM
      |   view attached
    Dear Priyesh,
    Thanks for providing latest version of UA software.

    We have upgraded on ASG appliance and client now the following result :

    1: Internet website working good with VPN and without VPN compare to previous UA version 
     
    2: Intranet website still slow on VPN as on previous UA version for website hosted on 107.x.x.x range if website working fine if hosted on 10.x.x.x range.


    Please guide us on following : 
    1:  how to bypass our Intranet IP address (107.x.x.x)  from unified agent filtering as all our Intranet hosted on these IP range.
    2: is there any possibility to create policy to bypass 107.x.x.x range from filtering inspection.


    Thanks,
    Prem





  • 8.  RE: Websites are very slow with unified proxy agent for web filtering

    Broadcom Employee
    Posted Aug 24, 2020 01:51 PM
    Hello Prem, 

    1:  how to bypass our Intranet IP address (107.x.x.x)  from unified agent filtering as all our Intranet hosted on these IP range.
    Answer: For the ProxySG version of UA there is no option to bypass a URL or IP , as this UA does not perform inspection , it simply does a URL Category Lookup and then it takes the action allow or deny depending on the category.


    2: is there any possibility to create policy to bypass 107.x.x.x range from filtering inspection.

    Answer: It would seem to me that perhaps because 107....... is a Class A IP (Public) the UA will do a category lookup , and perhaps that takes a long time because there is no category for this IP, so there is the delay.


    I propose the following possible solution that will allow you to bypass the web category lookup for the 107...... IPs , by defining the category your self.

    1. Create at Custom Category, or add  to an existing category all of the 107.x.x.x IPs you know the user will connect to, or that are slow.
    2.  If you created a new Category then make sure you add it to the proxy UA configuration under the ProxySG:
    3. Next time the UA connects to the ProxySG to update its Allow/Block policies, it will download this custom catgeory that has your 107.x.x.x IPs in question already categorized.

    In theory this should fix the delays for the 107.x.x.x  , assuming that it is caused by a UA category lookup between the UA and the GIN in the cloud.

    I hope this helps.

    Slava 



  • 9.  RE: Websites are very slow with unified proxy agent for web filtering

    Posted Aug 25, 2020 11:31 PM
    Dear Slava,
    Thanks for your suggestion.
    Now some improvement in Intranet URL also. if earlier it's take two minute to open home page now it's taking one minute few seconds.

    Also i would like mention that our all Intranet hosted with IP base like http://107.x.x.x instead of domain name. 

    Please suggest how to improve more for Intranet URLs as same URLs are working without any delay once filtering is disabled on Unified agent.


    Thanks,
    Prem





  • 10.  RE: Websites are very slow with unified proxy agent for web filtering

    Broadcom Employee
    Posted Aug 26, 2020 04:20 PM
    Hello Prem, 

    I am glad to hear that this had some improvement, you can apply the same step for every destination you see a delay , again assuming that the latency is caused by the category lookup.
    I think it would help to actually confirm that the category lookup is the root cause, bu doing a pcap on the client pcap as you reproduce the issue.
    Perhaps there are some other conflicts there.

    This issue need a more deep dive than we can do here, i would recommend opening a technical case on this matter as there data can be uploaded and reviewed by the case owners.

    I hope this helps.
    Slava


  • 11.  RE: Websites are very slow with unified proxy agent for web filtering

    Posted Sep 01, 2020 01:07 AM
      |   view attached
    Dear Slava,
    Thanks for you help and suggestion.
    Please check attached snapshot getting ratings service unavailable on client side, once this message stats on filter status on that time all websites stop working and after some time Filter status showing Running.
    Technical case opened multiple time but they are also not able to resolve. Please check and suggest if any other solution to improve for Intranet services. 



    Thnaks,
    Prem  



  • 12.  RE: Websites are very slow with unified proxy agent for web filtering

    Broadcom Employee
    Posted Sep 01, 2020 01:49 PM
    Hello Prem, 

    1. Not able to brows any sites when Rating service is unavailable is an option that you can change , what the UA should do when it cannot communicate with the Rating services, you can chose to allow traffic or notify or block it , so all is working as expected here. The root cause of Rating services not being available is that is because something on your PC or on your network is blocking the request from the UA to the Rating services. The URL UA is contacting for the Rating Services is sp.cwfservice.net
    2. 2. You can change the behavior of what the UA does when the Rating service is unavailable , see the Admin Guide starting page 62 ( i would encourage you to go over this Admin Guide to understand how the UA works , what does it need to work) : https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/web-and-network-security/proxysg/common/UnifiedAgent_4.10_Win.pdf

    1. 3. IF you take a UA Trace while the issue is present , you may be able to see in the UA trace why the UA marks the Rating service as Unavailable: https://knowledge.broadcom.com/external/article?articleId=168727
    2. 4. You may want to make sure you Antivirus or any other apps on the your PC  or on your network are not blocking the request to the rating services, or DNS.

    In my experience UA agent works without any issues unless there is a third party app or variable blocking its requests.

    Slava


  • 13.  RE: Websites are very slow with unified proxy agent for web filtering

    Posted Sep 01, 2020 05:59 PM
    Dear Prem,

    Please make sure your Endpoint Solutions (say Antivirus) are not interfering Symantec Proxy UA. You may try to exclude/whitelist UA file/folder from your Endpoint Solutions and check. As Slava also mentioned, in general UA works without much issues.

    As I have mentioned earlier, Proxy UA is a free solution comes along with ProxySG/ASG having limited features, we do not have much granular control here. And there is little option for us to interact with Proxy UA. Blue Coat introduced Proxy UA (formerly known as Proxy Client) long ago when Cloud Proxy is not that popular and now this Proxy UA concept is already outdated since more and more customers are open for Cloud Proxy.

    As we could see you'are facing multiple issues and looking for more granularity (like bypassing URLs/IPs, Application Controls etc.), this is the right time for you to move towards Symantec Web Security Service (WSS), which can offer better protection for your Roaming Users and the Administrator will have more control as well. Also your end users will have a seamless access in both Corporate Network and Public Network (while roaming) with Unified Policy Enforcement (UPE).

    Thank you.

    Best Regards,
    Priyesh MP
    Solution Architect | Symantec Knight of the Year, Asia Pacific 2018
    Symantec Certified Specialist (in Blue Coat ProxySG)
    Softcell Technologies Global Pvt. Ltd.