This fixed the WSUS server, it wasn't the cache_peer parameter after all.
acl inside dstdomain .mydomain.com
always_direct allow inside
never_direct allow all
The SEPM might have an additional known issue (known by Symantec that is)
If a proxy or a firewall is stripping, compressing, or encrypting content length packet headers, that'll break SEPM too. (SEPM uses port 80 by default, so theoretically it should have been getting out)
Is there a parameter in squid that would do that? (so I can see if it is configured or not) The squid.conf is 90% of the default file, with just a few tweaks needed for our environment.
PG
On 30/10/2016 4:40 a.m., paul.greene.va wrote:
>
> Our firewall guy says what he's seeing in his logs is that traffic destined for
> port 443, after it goes through the proxy, is trying to go straight to the
> vendor over the internet, rather than go through the upstream McAfee gateway as
> required, and thus, the traffic is getting dropped by the Cisco firewall. I did
> a packet capture test with the McAfee gateway guy, and he confirmed that no
> traffic coming from either either the WSUS or the SEPM is reaching his gateway.
>
> I thought this line in the squid.conf file should send traffic from our proxy to
> the upstream McAfee gateway, but maybe I'm misunderstanding the intent of the
> cache_peer parent parameter.
>
> cache_peer <McAfee Gateway IP address> parent 8080 3130 proxy-only
> no-query no-netdb-exchange default login=username:password
>
cache_peer configures the *how* of traffic sent to that gateway. Which
traffic uses it is configured by other directives (cache_peer_access,
always_direct, never_direct, peer_direct, nonhierarchical_direct) and
depends on the type of traffic.
NP: the above also indicates the connection(s) are plain-text HTTP. If
you are using interception then HTTPS traffic cannot go through that
link. Since HTTPS requires end-to-end security, the cache_peer
connection needs to use 'ssl' options for intercepted port 443 to use it
safely.
> (if placement of this cache_peer parameter matters, its currently near the end
> of the squid.conf file)
>
> As a test, I configured internet explorer on the WSUS server to use the proxy
> for internet access, Without configuring for the proxy, IE can't go anywhere
> except the local network. IE can hit http websites (i.e. www.cnn.com) when it's
> configured to use the proxy, but not https websites.
>
> The Safe_ports and SSL_ports list is the same as the squid.conf defaults.
>
> This is squid 3.3 running on Redhat 7.
>
> Any suggestions or pointers?
Assuming you are using explicit/forward proxy, add this to your squid.conf:
never_direct allow all
if that dont work by itself you may need these as well:
prefer_direct off
nonhierarchical_direct off
You should not have any existing lines with those directives or with
always_direct. If you do the placement might matter.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
>
> Our firewall guy says what he's seeing in his logs is that traffic destined for
> port 443, after it goes through the proxy, is trying to go straight to the
> vendor over the internet, rather than go through the upstream McAfee gateway as
> required, and thus, the traffic is getting dropped by the Cisco firewall. I did
> a packet capture test with the McAfee gateway guy, and he confirmed that no
> traffic coming from either either the WSUS or the SEPM is reaching his gateway.
>
> I thought this line in the squid.conf file should send traffic from our proxy to
> the upstream McAfee gateway, but maybe I'm misunderstanding the intent of the
> cache_peer parent parameter.
>
> cache_peer <McAfee Gateway IP address> parent 8080 3130 proxy-only
> no-query no-netdb-exchange default login=username:password
>
cache_peer configures the *how* of traffic sent to that gateway. Which
traffic uses it is configured by other directives (cache_peer_access,
always_direct, never_direct, peer_direct, nonhierarchical_direct) and
depends on the type of traffic.
NP: the above also indicates the connection(s) are plain-text HTTP. If
you are using interception then HTTPS traffic cannot go through that
link. Since HTTPS requires end-to-end security, the cache_peer
connection needs to use 'ssl' options for intercepted port 443 to use it
safely.
> (if placement of this cache_peer parameter matters, its currently near the end
> of the squid.conf file)
>
> As a test, I configured internet explorer on the WSUS server to use the proxy
> for internet access, Without configuring for the proxy, IE can't go anywhere
> except the local network. IE can hit http websites (i.e. www.cnn.com) when it's
> configured to use the proxy, but not https websites.
>
> The Safe_ports and SSL_ports list is the same as the squid.conf defaults.
>
> This is squid 3.3 running on Redhat 7.
>
> Any suggestions or pointers?
Assuming you are using explicit/forward proxy, add this to your squid.conf:
never_direct allow all
if that dont work by itself you may need these as well:
prefer_direct off
nonhierarchical_direct off
You should not have any existing lines with those directives or with
always_direct. If you do the placement might matter.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
