Troubleshooting guide
Chapter 7 Troubleshooting Security Servers and Content Security
Resolving Common HTTP Security Server Problems
Advanced Technical Reference Guide 4.1 • June 2000 60
Another instance of this problem is the range request. The client can ask the server to send just part of the
response. It can do it by adding the range request header. In that way the smart client (Trojan horse) can get the
second half first and then get the first half. The HTTP security server will block each range request unless the
user will add the http_allow_ranges to the props section of the objects.C file.
Multi-server connections to an HTTP Security Server acting as Security Proxy
The HTTP 1.1 protocol supports multi-request connections, where each connection can carry more than one
request/response transaction. An example of a multi-request connection is a connection to a single page where
different elements of the page reside on different servers.
Where the HTTP security server is in proxy mode, the client can open a single connection to the proxy and send
the proxy a number of requests where each request has a different server as a final destination. The proxy is
supposed to handle all the requests, send each request to the right destination and return the response to the
client. In this scenario therefore, a single connection from the client to proxy relates to many connections
between the proxy and the servers. As of VPN-1/FireWall-1 4.0 and 4.1 the HTTP security server does not
support this feature yet. It supports only one request/response transaction per connection, so that every server
requires its own connection.
To work around this problem, whenever the VPN-1/FireWall-1 HTTP Security server gets a request where the
final destination differs from the destination of the previous request (on this connection), it will try to respond
with a redirect and will close the connection. This workaround does not always work because some of the
HTTP client will not follow the redirect.
Another workaround:
Disable the support for multi request connections. In this case, the security server will enforce only one request
for each connection.
You can add the following attributes to the props section of the objects.C file.
:http_avoid_keep_alive (true)
closes the connection after the first request/response transaction.
:http_force_down_to_10 (true)
changes the version of the protocol from 1.1 to 1.0.
See the SecureKnowledge Solution (Solution ID: 10022.0.2181016.2491988) in the Check Point Technical
Services site.
Client Authentication issues related to the HTTP Security Server
Problem with Partially and Fully Automatic HTTP Client Authentication
Note: This issue is documented in the Check Point 2000 Administration Guide page 554
Packet Flow description
When the kernel has match on a partially automatic HTTP client authentication rule, it folds it to the security
server. The security server returns a redirection response, which forces the HTTP browser to open second
connection to the redirected URL. In this case, the new URL is the VPN-1/FireWall-1 security server. The
security server manages the authentication process and adds a new entry to the client authentication table. It
then returns a redirection response, which directs the browser to the original URL. The browser opens new
connection to the original URL, but this times it passes through the FireWall using the new client authentication
table entry.