Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
61626364656667686970
Chapter 7 Troubleshooting Security Servers and Content Security
Resolving Common HTTP Security Server Problems
Advanced Technical Reference Guide 4.1 June 2000 61
The problem
The redirect response includes two major headers: the action header, which has the return code (e.g. HTTP/1.0
302 Not Allowed), and the location header, which direct the browser to the new URL (e.g. Location:
http://199.203.71.111/index.html).
The browser prints the URL in its address window (the one which the user uses to enter the requested URL),
and after getting a redirect response it replaces the original URL with the one from the location header. A URL
contain two parts: the host name and the path. A transparent HTTP request does not include the full URL but
only the path (so that if the user enters http://www.checkpoint.com/index.html the HTTP request will include
only the "/index.html" part).
The effect of all this is that when VPN-1/FireWall-1 redirects the browser back to the original URL, it puts the
IP address in the location header instead of the host name which is not available, which in turn causes the
browser to replace the URL with the IP address.
Solution
When using Partially or Fully Automatic Client Authentication, it is now possible to configure the
VPN-1/FireWall-1 so that the redirection sent to the client that points it to the server, will be done according to
the host header and not according to the destination IP.
To enable redirection according to the HTTP host header, follow these steps:
1. On the management station, issue the fwstop command (or on NT stop the VPN-1/FireWall-1 service)
2. In the file $FWDIR/conf/objects.C, under the line which includes the token
:props (
Add the following line:
:http_use_host_h_as_dst (true)
3. Start the FireWall by running fwstart (on NT, start the VPN-1/FireWall-1 service).
Session Authentication Rules and Domain objects
If the connection matches a rule in which the source field contains Domain objects or the Action is Session
Auth., the rule will not apply, and the connection will probably be rejected by the stealth (Any/Any/Drop) rule.
Agent Automatic Sign On
Agent Automatic Sign On is a new feature in VPN-1/FireWall-1 4.0 SP5 and 4.1 SP1. Since it operates the
Session Authentication mechanism for all services, including Authenticated services such as HTTP, FTP etc.,
you are not allowed to configure on the same rule a URI resource (FTP, SMTP, HTTP) or any kind of Security
Server. Automatic Sign On does not have this restriction
HTTP Security Server and DNS
For related solutions, search the SecureKnowledge database http://support.checkpoint.com/kb in the Check
Point Technical Services site
Performance Issue: VPN-1/FireWall-1 defined as a proxy in the client’s browser
Where VPN-1/FireWall-1 is not defined as a proxy the DNS query is done by the client. However, if the
VPN-1/FireWall-1 is set as a proxy, the destination of packets sent by the client will always be the IP of the
VPN-1/FireWall-1 machine. Therefore in this case VPN-1/FireWall-1 has to issue DNS query for each HTTP
request passing through the HTTP Security Server. DNS queries are very time consuming, which could degrade
HTTP Security Server performance.