AT&T Cloud Web Security Service Troubleshooting Guide
Table of Contents 1 Summary... 3 2 Explicit Proxy Access Method... 4 2.1 Explicit Proxy Flow Diagram... 4 3 Proxy Forwarding Access Method... 6 3.1 Explicit Proxy Flow Diagram... 7 4 IPSec/VPN Access Method... 8 4.1 IPSec/VPN Flow Diagram... 9 5 Client Connector Access Method... 10 5.1 Client Connector Flow Diagram... 11 6 Auth Connector / SAML Authentication... 12 6.1 Authentication Flow Diagram... 13 2
1 Summary The purpose of this document is to describe the troubleshooting steps Cloud WSS customers need to take when experiencing service issues. These steps will assist customers in determining the root cause as well as escalating the issue to the proper supporting organization (internal or AT&T). There is a section for each access method and core functionality. Within each section, troubleshooting steps are grouped by testing category. In addition, each section includes a technical data flow diagram to assist troubleshooting. If the problem persists after using this troubleshooting guide, please contact AT&T MSS Help Desk 1-800-727-2222 Prompt 8,2 Managed.security@ems.att.com 3
2 Explicit Proxy Access Method Explicit Proxy Minimum Requirements Firewall Configuration TCP 8080 must be open on the firewall TCP 443 must be open (for SSL connections) Client proxy configuration o Explicit Proxy Destination proxy.threatpulse.com:8080 o Destination if using Pac Configuration https://portal.threatpulse.com/pac o Portal Configuration Define Location If using Auth Connector or SAML refer to the Auth Connector/SAML- Minimum Requirements section Refer to the Diagram below for the total Data Flow Trouble Shooting the Explicit Proxy Connection Method 1. Firewall 1.1 Is there an active Internet connection 1.2 telnet to proxy.threatpulse.com 8080 1.3 telnet to proxy.threatpulse.com 443 1.4 ping proxy.threatpulse.com (if ping is enabled) 2. Node Explicit Proxy 2.1. In Windows 2.1.1.1. open Internet Explorer 2.1.1.2. click on tools 2.1.2. click on Internet Options 2.1.3. click on Connections 2.1.4. click on LAN Settings 2.1.5. Click on the check box for Proxy Server 2.1.6. proxy.threatpulse.com and port 8080 2.1.7. click ok 2.1.8. Open the browser to demo.threatpulse.com to see if the computer is protected 3. PAC Configuration 3.1. In Windows 3.1.1.1. open Internet Explorer 3.1.1.2. click on tools 3.1.1.3. click on Internet Options 3.1.1.4. click on Connections 3.1.1.5. click on LAN Settings 3.1.1.6. Click on the check box for Proxy Server 3.1.1.7. Automatic Configuration put proxy.threatpulse.com/pac and port 8080 3.1.1.8. click ok 3.1.1.9. Open the browser to demo.threatpulse.com to see if the computer is protected 4. Portal Configuration 4.1. In browser go to portal.threatpulse.com 4.1.1.1. Log in with correct username and password 4.1.1.2. Click on Service 4.1.1.3. Click on Add Location 4.1.1.4. Add the location name 4.1.1.5. Choose the access method Explicit Proxy from the down arrow 4.1.1.6. Verify the IP/Subnet 4.1.1.7. If using SAML or Auth Connector make sure that Enable Captive Portal is checked 4.1.1.8. Verify Country and Time zone 4.1.1.9. If the information is correct, a green check mark will appear to the right of the screen under Status 4.1.1.10. Verify Bypassed Sites tab to make sure that the correct IP addresses are permitted or denied 4
2.1 Explicit Proxy Flow Diagram 5
3 Proxy Forwarding Access Method Proxy Forwarding Minimum Requirements Firewall Configuration (NBFW) o TCP 8080 must be open on the firewall o TCP 443 must be open (for SSL connections) o TCP 8443 (for trans NAT) Proxy SG forwarding configuration o Forwards to proxy.threatpulse.com:8080 Portal Configuration o Define Location (use Egress Address of NBFW) Troubleshooting 1. Firewall 1.1. Is there an active Internet connection 1.2. telnet to proxy.threatpulse.com 8080 1.3. telnet to proxy.threatpulse.com 443 1.4. ping proxy.threatpulse.com (if ping is enabled) 1.5. Verify that Port 8443 is enabled 2. Proxy SG 2.1. Open the Proxy SG browser interface https://1.1.1.1:8082 (use correct IP) and log in 2.1.1. Click on configuration 2.1.2. Click on Forwarding 2.1.3. Click on Forwarding Hosts 2.1.4. Is proxy.threatpulse.com there 2.1.5. Click on Default Sequence 2.1.6. Is proxy.threatpulse.com on the right side under Alias name? 2.1.7. Click on Statistics tab 2.1.8. Click on Health Monitoring to verify the health check Does it have a green OK? 3. Portal Configuration 3.1. In browser go to portal.threatpulse.com 3.1.1. Log in with correct username and password 3.1.2. Click on Service 3.1.3. Click on Add Location 3.1.4. Add the Location Name 3.1.5. Choose the access method Proxy Forwarding from the drop down arrow 3.1.6. Verify the IP/Subnet 3.1.7. Verify Country and Time zone 3.1.8. If the information is correct, a green check mark will appear to the right of the screen under Status 6
3.1 Proxy Forwarding Flow Diagram 7
4 IPSec/VPN Access Method IPsec Minimum Requirements Troubleshooting Firewall Configuration (NBFW) o Must use IPsec o Must originate from firewall o Must enable Port UDP 500 o Must use Main Mode Negotiations o Must use an Ip address as gateway o Must use Pre-Shared Key o Must define a Proxy Id Portal o Must have a Location Name o Must define Gateway Ip of Firewall (inside Location) o Must define Pre-Shared key (inside Location) o Can enable Captive Portal (inside Location) o Can Use Auth Connector or SAML (inside enable Captive Portal) If using Auth Connector or SAML refer to the Auth Connector/SAML- Minimum Requirements section 1. Firewall 1.1. Is there an active Internet connection 1.2. Is the firewall behind another firewall (Bluecoat will not accept NAT-Traversal) 1.3. Can a Bluecoat Load Balancer be pinged? (if ICMP is enabled) 1.4. How far does trace-route go? ( if the load balancer is not able to be pinged) 1.5. Phase 1 1.5.1. Is Bluecoat Cloud Load Balancer defined as Gateway? 1.5.2. Do the Phase 1 proposals match? 1.5.3. Does the Pre-Shared key match the Portal? 1.5.4. Is Dead Peer Detection enabled? (optional) 1.6. Phase 2 1.6.1. Is the correct tunnel defined? 1.6.2. Do the Phase 2 proposals match? 1.6.3. Is the Proxy Id defined? 1.6.4. Are SSL and HTTP defined in an active SA? 1.6.5. Is SSL and HTTP forwarded to the active tunnel? 8
4.1 IPSec/VPN Flow Diagram 9
5 Client Connector Access Method Client Connector Minimum Requirements Firewall Configuration (NBFW) o Allow TCP ports 443 Client Configuration o Must have an active Internet connection o Download/Install Client Connector to local machine Troubleshooting 1. Firewall (NBFW) 1.1. Is there an active Internet connection? 1.2. telnet to proxy.threatpulse.com 443 1.3. ping proxy.threatpulse.com (if ping is enabled) 2. Client Connector 2.1. Behind a Bluecoat Cloud Connection under the same account in the portal 2.1.1. Mouse over Bluecoat Icon on bottom right of the screen 2.1.2. Should be failed open (color white) 2.2. Not Behind a Bluecoat Cloud Connection method in the same account 2.2.1. Mouse over Bluecoat Icon on bottom right of the screen 2.2.2. Should not be failed open (color is blue) 2.3. Verify that the Client Connector is connected 2.4. Right mouse on Bluecoat Icon 2.5. Click Status 2.5.1. Is the Customer ID correct? 2.5.2. Are Local Services UP? 2.5.3. Is Network available? 2.5.4. Is the Connector status Connected to Threatpulse? 2.5.5. Is HTTPS-OK? 10
5.1 Client Connector Flow Diagram 11
6 Auth Connector / SAML Authentication Auth Connector /SAML Minimum Requirements Troubleshooting Firewall Configuration (NBFW) o Allow TCP port 443 through Egress Portal Configuration o Define Auth Connector/SAML o Cert must match server (if using SAML) o Under Location, / Captive Portal the subnet must be defined (if using SAML) Server Configuration Must use Active Directory Internal Ip Must be reachable by Client machine as defined in Portal (if using SAML) Cert must match Portal Cert (if using SAML) IDP listens on 8443 (if using SAML) o Traffic must be allowed to this host locally on this port Auth Connector/SAML can be used with Explicit and Ipsec Access Methods 1. Firewall 1.1. Is there an active Internet connection? 1.1. telnet to proxy.threatpulse.com 443 1.2. ping proxy.threatpulse.com (if ping is enabled) 2. Portal Side Configuration for Auth Connector or SAML 2.1. Log into Portal.threatpulse.com 2.1.1. Click on Service 2.1.2. Click on Authentication 2.1.3. Click Auth Connector 2.1.4. Is Auth Connector Status Green? 3. If using SAML 3.1. Follow the previous Steps 2.1 through 2.1.2. 3.2. Click SAML 3.2.1. Under Endpoint URL: the address should look as follows: http://192.168.1.1/bcca/saml/idp (The internal non routed IP of the server with Active directory) 3.2.2. Does the Cert defined in Signing Certificate Chains match the cert on the Active Directory Server? 3.2.3. Is Auth Connector Status Green? 4. Server Side Configuration 4.1. Services 4.1.1. Click on Start, All Programs Administrative Tools, Services 4.1.1.1. Click on Blue Coat Auth Connector 4.1.1.2. Are Blue Coat Auth services running (under status started)? 4.1.1.3. If not, click Start or Restart (to start or restart services) 4.2. Event Logs 4.2.1. Click on Start, All Programs Administrative Tools, Event Viewer 4.2.2. Click on Windows Logs, Application 4.2.3. Click refresh and view the top BCCA log 4.2.3.1. Does it show connected to the user Id? 4.2.3.2. If it does not show connected, Why does it show that it fails? (what is the error) 4.2.3.3. 4.3. Is Active Directory working correctly? 4.4. Is the internal Ip address of the server directly reachable by the client machine? (if using SAML) 12
6.1 Auth Connector / SAML Flow Diagram 13