Remote Web Access URL Trouble

C

Cmoney90

Weaksauce
Joined
Jul 15, 2007
Messages
84
I am trying to access this url https://aure.medcity.net/rsa from inside my companies network. We are behind a sonicwall and all we get is "Internet Explorer cannot display the webpage" However, if I am outside of the network like my house for example I am able to reach the site just fine. I have enabled SSL/TLS in the advanced options and am not sure what to try next. Any ideas would be greatly appreciated.

P.S. I am able to hit other sites just fine so my internet connection is not the problem.
 
Last edited:
Can you access other https sites? Maybe port 443 is being blocked. What if you ping or do a tracert to that site?
 
The Sonicwall is probably blocking the URL because the firewall is expecting to see all traffic hitting that URL to come from outside interface and not the inside interface. I bet if you used something like https://servername/rsa it would work fine. This type of problem stumped me for awhile on Untangle. When doing port forwards in Untangle, you need to include both interfaces. I'm unfamiliar with Sonicwall, but I'm sure someone here could walk you through the steps to fix that.
 
/usr/home said:
Can you access other https sites? Maybe port 443 is being blocked. What if you ping or do a tracert to that site?
Click to expand...

I am able to hit other https sites. For instance I am able to hit amazon checkout just fine.

Im assuming they have an ACL in place blocking pings but here is the trace route from inside my company network:

C:\>tracert 12.154.19.118

Tracing route to https://aure.medicty.net/rsa [12.154.19.118]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 10.20.50.70
2 3 ms <1 ms <1 ms 10.20.2.1
3 1 ms <1 ms <1 ms 50-79-92-46-static.hfc.comcastbusiness.net [50.7
9.92.46]
4 31 ms 30 ms 19 ms 73.197.255.1
5 9 ms 8 ms 9 ms te-9-2-ur03.southside.fl.jacksvil.comcast.net [6
8.86.171.193]
6 15 ms 11 ms 11 ms te-0-4-0-8-ar02.southside.fl.jacksvil.comcast.ne
t [68.86.168.113]
7 18 ms 19 ms 19 ms pos-0-5-0-0-cr01.miami.fl.ibone.comcast.net [68.
86.90.229]
8 20 ms 18 ms 18 ms pos-0-4-0-0-pe01.nota.fl.ibone.comcast.net [68.8
6.88.98]
9 19 ms 19 ms 18 ms 192.205.36.169
10 31 ms 22 ms 23 ms cr81.fldfl.ip.att.net [12.122.81.26]
11 26 ms 22 ms 23 ms cr2.ormfl.ip.att.net [12.122.1.45]
12 21 ms 20 ms 20 ms gar6.ormfl.ip.att.net [12.123.34.145]
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.

This is from my home network which is able to hit the site just fine:

C:\>tracert 12.154.19.118

Tracing route to 12.154.19.118 over a maximum of 30 hops

1 <1 ms 1 ms 1 ms 192.168.0.1
2 40 ms 28 ms 19 ms 24.129.36.1
3 9 ms 11 ms 10 ms te-8-4-ur01.ftcaroline.fl.jacksvil.comcast.net [
68.85.94.81]
4 24 ms 21 ms 12 ms te-0-4-0-10-ar02.westside.fl.jacksvil.comcast.ne
t [68.85.225.69]
5 23 ms 25 ms 21 ms pos-0-4-0-0-cr01.charlotte.nc.ibone.comcast.net
[68.86.91.81]
6 24 ms 24 ms 24 ms pos-3-12-0-0-cr01.atlanta.ga.ibone.comcast.net [
68.86.86.221]
7 27 ms 27 ms 28 ms pos-0-4-0-0-pe01.56marietta.ga.ibone.comcast.net
[68.86.87.138]
8 26 ms 26 ms 25 ms as7018-pe01.56marietta.ga.ibone.comcast.net [75.
149.228.86]
9 30 ms 31 ms 32 ms cr2.attga.ip.att.net [12.122.117.98]
10 34 ms 34 ms 32 ms cr1.ormfl.ip.att.net [12.122.31.30]
11 30 ms 30 ms 31 ms gar6.ormfl.ip.att.net [12.123.34.21]
12 12.86.51.242 reports: Destination net unreachable.
 
Last edited:
hawk82 said:
The Sonicwall is probably blocking the URL because the firewall is expecting to see all traffic hitting that URL to come from outside interface and not the inside interface. I bet if you used something like https://servername/rsa it would work fine. This type of problem stumped me for awhile on Untangle. When doing port forwards in Untangle, you need to include both interfaces. I'm unfamiliar with Sonicwall, but I'm sure someone here could walk you through the steps to fix that.
Click to expand...

Not sure what you mean, the site I am trying to reach is not part of my domain.
I gave wireshark a shot and it is showing that my machine is sending three syn packets and then the website will reply with a single reset ack packet. Its almost like the webserver wants nothing to do with my network.
 
Cmoney90 said:
Not sure what you mean, the site I am trying to reach is not part of my domain.
I gave wireshark a shot and it is showing that my machine is sending three syn packets and then the website will reply with a single reset ack packet. Its almost like the webserver wants nothing to do with my network.
Click to expand...

Ironically, I've been working a trouble ticket much like this for an enterprise customer at work for the last few days. Problem is, we host the website he's trying to hit. I can get to the website from my phone and my desktop at work (DNS resolves the private IP of the server and it takes a different route), but I cannot reach it using our own guest wireless on our network.

It's been an interesting puzzle, to say the least, since I don't have direct access to the webserver or the firewall in front of it. I'm guessing the webserver's firewall is dropping the traffic since I can always trace the traffic to that firewall. Public IPs from outside our network and private IPs from within our network pass through, but a certain few public IPs from within our network do not.
 
Electrofreak said:
Ironically, I've been working a trouble ticket much like this for an enterprise customer at work for the last few days. Problem is, we host the website he's trying to hit. I can get to the website from my phone and my desktop at work (DNS resolves the private IP of the server and it takes a different route), but I cannot reach it using our own guest wireless on our network.

It's been an interesting puzzle, to say the least, since I don't have direct access to the webserver or the firewall in front of it. I'm guessing the webserver's firewall is dropping the traffic since I can always trace the traffic to that firewall. Public IPs from outside our network and private IPs from within our network pass through, but a certain few public IPs from within our network do not.
Click to expand...

That is why I am so confused. I tried calling their tech support to see if they could help me but all they kept saying was "there is nothing we have to do on our end". So helpful :rolleyes: . If you figure anything out please let me know.
 
Cmoney90 said:
Sonicwall TZ 205
SonicOS Enhanced 5.8.1.6-3o
Click to expand...

Another fun fact; my customer having the issue is also behind a Sonicwall. I stayed late today to route and assign a block of spare IPs to the router we manage for him so that he can plug into an unused port on said router to bypass the Sonicwall without having to unplug it and put his users out of service.

I'm following up in the AM so I'll see if he can get to it minus the Sonicwall. I'm guessing he still won't be able to but it's the one last thing I've gotta rule out before engaging our web admins.
 
KBID5853-image1.JPG
 
Cmoney90 said:
Ill give it a shot. Thank you
Click to expand...

I am intrigued. I would not be surprised in the least if this ends up being a certificate issue with Sonicwall blocking the connection. Please let post here as soon as you know because this may help me close my ticket.
 
Electrofreak said:
I am intrigued. I would not be surprised in the least if this ends up being a certificate issue with Sonicwall blocking the connection. Please let post here as soon as you know because this may help me close my ticket.
Click to expand...

it sounds like the fw is blocking ssl, see picture above ?

Procedure:

Step 1: Enabling SSL Control on Zones

1. Login to the SonicWALL Management Interface, navigate to Network Zones page.
2. Select the Configure (Edit) icon for the desired zone.
3. In the Edit Zone window, select the Enable SSL Control checkbox.

enable%20SSL%20control.jpg


4. Click OK. All new SSL connections initiated from that zone will now be subject to inspection.

Step 2: SSL Control Configuration

SSL Control is located on Firewall > SSL Control Folder.

KBID5853-image1.JPG


Enable SSL Control – The global setting for SSL Control. This must be enabled for SSL Control applied to zones to be effective.
• Log the event – If an SSL policy violation, as defined within the Configuration section below, is detected, the event will be logged, but the SSL connection will be allowed to continue.
• Block the connection and log the event – In the event of a policy violation, the connection will be blocked and the event will be logged.
• Enable Blacklist – Controls detection of the entries in the blackist, as configured in the Configure Lists section below.
• Enable Whitelist – Controls detection of the entries in the whitelist, as configured in the Configure Lists section below. Whitelisted entries will take precedence over all other SSL control settings.

• Detect Expired Certificates – Controls detection of certificates whose start date is before the current system time, or whose end date is beyond the current system time. Date validation depends on the SonicWALL’s System Time. Make sure your System Time is set correctly, preferably synchronized with NTP, on the System > Time page.

• Detect SSLv2 – Controls detection of SSLv2 exchanges. SSLv2 is known to be susceptible to cipher downgrade attacks because it does not perform integrity checking on the handshake. Best practices recommend using SSLv3 or TLS in its place.

• Detect Self-signed certificates – Controls the detection of certificates where both the issuer and the subject have the same common name.
• Detect Certificates signed by an Untrusted CA – Controls the detection of certificates where the issuer’s certificate is not in the SonicWALL’s System > Certificate trusted store.
• Detect Weak Ciphers (<64 bits) – Controls the detection of SSL sessions negotiated with symmetric ciphers less than 64 bits, commonly indicating export cipher usage.
• Configure Blacklist and Whitelist – Allows the administrator to define strings for matching common names in SSL certificates. Entries are case-insensitive, and will be used in pattern-matching fashion,

Step 3: Configure Blacklist and Whitelist

1. To configure the Whitelist and Blacklist, click the Configure button to bring up the following window.
KBID5853-image2.JPG


2. Entries can be added, edited and deleted with the buttons beneath each list window.

Note: List matching will be based on the subject common name in the certificate presented in the SSL exchange, not in the URL (resource) requested by the client.

Changes to any of the SSL Control settings will not affect currently established connections; only new SSL exchanges that occur following the change commit will be inspected and affected.

Copied from here,

http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5853#Step_2:_SSL_Control_Configuration
 
dashpuppy said:
stuff
Click to expand...

Yeah I picked up on it from the picture you posted earlier, but I appreciate the detail. :)

We have a team that manages Fortinets, but not Sonicwalls; my customer manages his. Like I'd mentioned, I actually stayed late to provision a new IP block for the customer so he could try reaching the website without having to unplug his Sonicwall, (they really don't pay me enough!) The customer reports that his wife works with another of our customers and that they can't reach our site either. I'm willing to bet that company has a Sonicwall too.

I'm willing to bet after he plugs into that new port I set up for him he'll suddenly be able to hit our website and then I'll tell him to make that change in his Sonicwall. Then I've gotta reach out to our web admins and tell them to sort out their certificates!
 
Unfortunately the SSL configurations to the firewall did not do anything for me. But, I still appreciate your input Dashpuppy! Maybe Electrofreak will have more luck with his.
 
Electrofreak said:
Yeah I picked up on it from the picture you posted earlier, but I appreciate the detail. :)

We have a team that manages Fortinets, but not Sonicwalls. Like I'd mentioned, I actually stayed late to provision a new IP block for the customer so he could try reaching the website without having to unplug his Sonicwall, (they really don't pay me enough!)

I'm willing to bet he'll suddenly be able to hit our website and then I'll tell him to make that change in his Sonicwall. Then I've gotta reach out to our web admins and tell them to sort out their certificates!
Click to expand...

If you need help don't be afraid to pm me :) i'm getting VERY good at sw's :)
 
dashpuppy said:
If you need help don't be afraid to pm me :) i'm getting VERY good at sw's :)
Click to expand...

I appreciate that because you do not know how much time I spend on the phone with IT admins begging me to tell them how to set up their Sonicwalls when it's not my problem; I manage the router and the customer's WAN links / MPLS... the LAN is outside of my jurisdiction.

That said, if I knew Sonicwalls well enough I could charge consultation fees left and right. :D
 
Cmoney90 said:
Unfortunately the SSL configurations to the firewall did not do anything for me. But, I still appreciate your input Dashpuppy! Maybe Electrofreak will have more luck with his.
Click to expand...

Thanks Cmoney90; I guess I'll find out in the morning!
 
I can help more, who ever needs it tomorrow pm me.

RDP or teamviewer :) if available so we can work together..

Dash.
 
Holy broken firewall batman. No wonder the support queue at work is full of Sonicwall tickets. Thankfully, not our problem!
 
Sweet! The fix dashpuppy proposed, while unsuccessful for the OP, is exactly what was happening with my trouble ticket here at work.

I've had the customer whitelist our website's IP address in the Sonicwall config and I'm getting our web admins to look into why our website is tripping SSL Policy Violations on Sonicwalls.

Thanks to the OP and dashpuppy... this was one of those tickets I was thinking was never going to leave my queue. :)
 
Electrofreak said:
Sweet! The fix dashpuppy proposed, while unsuccessful for the OP, is exactly what was happening with my trouble ticket here at work.

I've had the customer whitelist our website's IP address in the Sonicwall config and I'm getting our web admins to look into why our website is tripping SSL Policy Violations on Sonicwalls.

Thanks to the OP and dashpuppy... this was one of those tickets I was thinking was never going to leave my queue. :)
Click to expand...

Glad to know that im somewhat usefull around here with Sonicwalls :) :) :)
 
That is awesome that you got yours working Electrofreak:cool: Im still working on mine. I will keep you guys updated.
 
still working on this issue. If anyone else has any ideas please feel free to chime in!:)
 
dashpuppy said:
We need to to a team viewer session :)
Click to expand...

Haha yes I know dashpuppy! Im still doing a lot of traveling to remote offices this week. But, as soon as that slows down we can set one up if you are still up for it. I appreciate your help.
 
You must log in or register to reply here.
Back
Top