IAG’s SSL Wrapper fails for Java

After doing some normal patching updates on the IAG and client machines, I suddenly had the problem when trying to connect to a Java based application. The SSL wrapper screen appeared but after a minute an error would appear. The app wasn’t working. This isn’t good as

The fix turnd out to be quick and easy:

In the IAG  configuration app, in the URL filter change InternalSite_Rule28 to Ignore and replace InternalSite_Rule29 URL to /internalsite/com/whale/sslvpnclient/whalesslvpnclient/class.class

Getting to this was a hour of head scratch, searching and playing. This is my journey to that two second fix.

I fired up the IAG Web monitor and noticed these errors:

Severity     ID       Type
Warning   55     Parameters not Allowed with URL Security portal (S)

Request failed, URL is not allowed to contain parameters.

Trunk: portal; Secure=1;

Application Name: Whale Internal Site; Application Type: InternalSite; Source IP: x.x.x.x; Method: GET; URL: /InternalSite/applet/sslvpnclient.jar?version-id=3.7.0.14.

Severity     ID       Type

Warning     67     URL Path not Allowed Security csrportal (S) Request failed, the URL contains an illegal path.

Trunk: portal; Secure=1;

Application Name: Whale Internal Site; Application Type: InternalSite; Rule: Default rule; Source IP: x.x.x.x; Method: GET; URL: /InternalSite/com/whale/sslvpnclient/whalesslvpnclient/class.class.

I knew I  had not changed on the rules or configuration.

Clicking on the first error of ID 67  popped up this:

Warning #67: URL Path not Allowed

Symptoms

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: “You have attempted to access a restricted URL. The URL you are trying to access contains an illegal path.”

Cause

The path of the requested URL was rejected by the URL Inspection engine.

Resolution

Take the following steps in the Configuration program:

1. Open the Advanced Trunk Configuration window, and select the URL Set tab.

2. Do one of the following, depending on the rule that caused the failure, as specified in the “Description” filed of the message:

If the rule that caused the failure is “Default rule”, use the URL List to add a new rule, or edit one of the existing rules, so that the requested URL is allowed.

If the failure was caused by an existing rule, and the name of the rule is specified in the message’s “Description” field, access the rule in the URL List. In the “URL” column, edit the path of the URL.

Cracking open the IAG configuration tool and searching the URL List I  found InternalSite_Rule29 was very slightly different to the one in the failed error. I swapped it from

/InternalSite/com/whale/sslvpnclient/whalesslvpnclient.class

to

/internalsite/com/whale/sslvpnclient/whalesslvpnclient/class.class

Saved the configuration and tried the Java app again. Still failed.

After a bit of head scratching I found this post from the excellent www.forefrontsecurity.org

InternalSite_Rule28 (/internalsite/applet/(sslvpnclient|detectjava|microsoftclient|oesislocal|runtimeelevator|agent_win_helper|agent_mac_helper|agent_lin_helper)\.jar)
changed Parameters value Reject to: Ignore

Basically this stops the checking on the detection agents and allows the Java applet to do it job.

Another Hum Ho moment.

Reply now | Feed

Leave a Reply


XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Wp Logo Theme: Guangzhou
Home