It is the problem with the security server. It does
nothing to do with Websense. All websense does is look
at the packet for the URL definition and verify it
adgainst its database to be sure it is not restricted.
HTTP 1.1 is not supported through the security server,
and that is why you are seeing problems. See notes:
1.1. An RFE has been submitted for http 1.1 and is
going to be incorporated
into the next full release of FireWall code named
Redmond.
****************************************************************************
******
Difficulty with HTTP 1.1 through the HTTP Security
Server
Fix: Upgrade to FireWall 4.0 SP5. It has many HTTP
1.1 fixes and
enhancements.
****************************************************************************
******
****************************************************************************
******
HTTP connections sometimes fail
Cause: HTTP 1.1 works differently than HTTP 1.0 in
that it is able to
send data in chunked pieces. If a client experiences
problems with
specific packets, a server can resend to the client
just the data that
caused problems. In contrast, HTTP 1.0 will resend
the entire page
to the client.
The FireWall-1 security server had problems dealing
with this chunked
data and sometimes specific web sites would be
unreachable.
Fix: Add the property "http_force_down_to_10 (true)"
to the objects.C
file under the props section.
After implementing the new property the security
server will downgrade
the client's "GET... HTTP/1.1" command to a "GET...
HTTP/1.0". The
downgrade will take affect only if the following are
true:
1. Prior to the change, the client's GET is an HTTP
1.1 command
2. The security server sends the data to a CVP server
or it is configured
to strip any Tags
****************************************************************************
******
****************************************************************************
******
When using HTTP 1.1 with CVP, 'chunked' data could
cause the connections
to fail
Fix: Convert HTTP 1.1 protocol packets to HTTP 1.0 as
follows:
1. Stop the FireWall using 'fwstop' (or on NT stop the
FireWall-1 service)
2. Edit the file $FWDIR/conf/objects.C .
After the line
:props (
Add the line
: http_force_down_to_10 (true)
3. Start the FireWall by running 'fwstart' (or on NT
start the FireWall-1
service).
****************************************************************************
******
****************************************************************************
******
Browser error message: "Your request has been
redirected to here".
Symptom: Some images do not load completely.
Symptom: It doesn't occur when using Internet Explorer
4.0
Cause: FW-1 does not support HTTP 1.1 which enables
the client to send
several HTTP request to a number of different servers.
Fix: Workaround: Disable the sending of multiple HTTP
1.1 requests as
follows:
Set the security server to close the connection after
each request as
follows:
1. Stop the FireWall by running 'fwstop' (On WinNT
stop the FireWall
service).
2. Edit the file '$FWDIR/conf/objects.C'. After the
line
: props (
Add the line:
:http_avoid_keep_alive (true)
3. Start the FireWall by running 'fwstart' (On WinNT
start the FireWall
service).
If the workaround does not work, Make sure to
- Close the gui and stop the fw
- Edit the 'objects.C' on the module in the
recommended way.
- perform a 'fw load" to the policy and then check
that the change was
implemented to the 'objects.C' file in the /database
directory as well.
- Start the FW
****************************************************************************
******
****************************************************************************
******
Unable to access site and an 'object moved' reply is
received from the
server, while using Internet Explorer as the browser
Symptom: Browser error: 'object moved' reply from the
server
Symptom: Unable to access the site
Fix: The HTTP security server now supports the HTTP
1.1 'CONTINUE' command.
To enable this support:
1. Stop the FireWall using 'fwstop' (or on NT stop the
FireWall-1 service)
2. Edit the file $FWDIR/conf/objects.C
After the line
:props (
Add the line
: http_sup_continue (true)
3. Start the FireWall by running 'fwstart' (or on NT
start the FireWall-1
service)
****************************************************************************
******
****************************************************************************
******
If IE browser is being used, disable http 1.1 through
the Advanced Internet
Options and reboot the client machine.
****************************************************************************
******
There is a recent service pack 7 for firewall 4.0 and
service pack 2 for 4.1, that supposedly supports http
1.1. I have not been able to confirm that, though.
Anyone else?
David
__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
