Guys
We are running clear OS 7.3 business edition in gateway mode. Proxy is set to non-transparent. We are not able to connect to a third party endpoint which is accessible via https through port 443. Here is what we tried so far.
<blockquote><ul>
Added the server name to the web proxy bypass section and added the same to the client machine's local proxy exception list (in Internet settings).
Added the server name to the Content Filter engine's Gray Sites list first, and then when it didnt help, to the Exception sites list.
</ul></blockquote>
The error we get when trying to reach endpoint via browser is
<blockquote>
server DNS address could not be found.
Try running Windows Network Diagnostics.
DNS_PROBE_FINISHED_NXDOMAIN</blockquote>
If we connect from another device that does not go through the clear OS gateway, the endpoint can be accessed just fine.
Any suggestions that we can try here. Is there any additional configuration where we can/should specify the specific port no 443?
Looking forward to your suggestions
We are running clear OS 7.3 business edition in gateway mode. Proxy is set to non-transparent. We are not able to connect to a third party endpoint which is accessible via https through port 443. Here is what we tried so far.
<blockquote><ul>
Added the server name to the web proxy bypass section and added the same to the client machine's local proxy exception list (in Internet settings).
Added the server name to the Content Filter engine's Gray Sites list first, and then when it didnt help, to the Exception sites list.
</ul></blockquote>
The error we get when trying to reach endpoint via browser is
<blockquote>
server DNS address could not be found.
Try running Windows Network Diagnostics.
DNS_PROBE_FINISHED_NXDOMAIN</blockquote>
If we connect from another device that does not go through the clear OS gateway, the endpoint can be accessed just fine.
Any suggestions that we can try here. Is there any additional configuration where we can/should specify the specific port no 443?
Looking forward to your suggestions
Share this post:
Responses (7)
-
Accepted Answer
When using the proxy server in non-transparent mode, you need to connect to the proxy using one of the two following ports:
With Content Filter enabled and running: 8080
Without Content Filter, just proxy: 3128
If the endpoint exists on your network and should not go through the proxy to resolve then you should specify the exception in your browser's proxy configuration or PAC (Proxy AutoConfiguration) script. If the endpoint SHOULD go through the proxy by is not working then there may be an object that does not work well being proxied.
Do all other regular HTTPS sites work? -
Accepted Answer
Thanks for the response, Dave... Answer to your queries as follows..
We are running proxy with content filter, so using port 8080 in the browsers proxy configuration
The web service end point that we are having issue with, is a remote one.
We have specified the end point server name in the bypass list of the clearOS proxy server and also on the local browser proxy configuration.
if we try to access the end point from a mobile device that is not behind the proxy, we get the output fine.
We also tried to bypass the proxy on one of the machines in the network by adding
iptables -t nat -I PREROUTING -s 192.168.0.158 -j ACCEPT
to the firewall.d/local script.
With that we are able to access internet on that machine even after removing the local proxy configuration, however this specific endpoint is still not accessible. Getting the same DNS_PROBE_FINISHED_NXDOMAIN on the browser.
And yea, other https sties just loads fine. is there any log file that we can look into for possible cues..
Thanks in advance for your support.. -
Accepted Answer
Googling the error message suggests a DNS problem and not a proxy problem. Which DNS servers is your workstation configured to use? From a Windows command prompt do a "ipconfig /all". While you are there you may as well also do an "ipconfig /flushdns".
In ClearOS, what is the contents of /etc/resolv-peerdns.conf and /etc/dnsmasq.d/dhcp.conf and are you single or MultiWan? -
Accepted Answer
Nick is right in bringing up MultiWAN. If your DNS service does not allow for queries from your other ISP's connection (and most don't) then you may need to use a neutral DNS provider like Google (8.8.8.8, 8.8.4.4) or Level3 (with their permission at 4.2.2.1 and 4.2.2.2).
The problem with multiwan is that if you statically set your AD DNS to use your upstream ISP for DNS resolution or if you set ClearOS to do the same and your communication to that DNS goes over the competing ISP's connection then you will get blocked. -
Accepted Answer
Guys
Thanks for your responses... Answers to the queries as below..
From a windows client machine's ipconfig /all output, 192.168.0.1 is listed under DNS Servers. This is server running the COS as gateway.
We have Multi WAN (two internet connections). However for each WAN interface, we have unchecked the "Automatic DNS Servers" checkbox. and we have specified OPENDNS servers for domain lookups under IP Settings | DNS. So the etc/resolv-peerdns.conf looks like
# Generated by NetworkManager
search lan.gateway
nameserver 208.67.220.220
nameserver 208.67.222.222
Content of /etc/dnsmasq.d/dhcp.conf
dhcp-option=enp2s0,1,255.255.255.0
dhcp-option=enp2s0,28,192.168.0.255
dhcp-option=enp2s0,3,192.168.0.1
dhcp-option=enp2s0,6,192.168.0.1
dhcp-range=enp2s0,192.168.0.100,192.168.0.254,12h
read-ethers
6th of July was when we first tried to set up access to this endpoint. Though we tried and rolled back different options since then, the one change that has remained is the addition of the server URL to the proxy server bypass list. Today we ran out of bandwidth limit as per our ISP's plan and while checking we could find that since the 6th of July there has been heavy bandwidth consumption (in the tune of 50-135 GB per day). This sure seems like some unwanted access. I have reverted back that proxy exception, but wondering why adding a proxy exception could lead to that. We have switched to the alternate ISP now and monitoring the usage. The filter and proxy report from the COS console is not very helpful, we see a bunch of "function item() { [native code] }" there.
Looking forward to your thoughts...
Sincerely
Praveen -
Accepted Answer
Your dumps confirm all you've described and they look OK.
The problem I have is that my googling always comes back to a DNS issue on the PC. Have you done anything in your firewall to restrict DNS lookups to udp:53, do blocking tcp:53? If so, please allow tcp:53. Another thing you can do is in your Windows box override the DNS server from using your ClearOS box to OpenVPN directly then checking if it works. Also have you tried another browser?
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »