AT&T Cloud Web Security Service

Similar documents
How to Configure a Remote Management Tunnel for an F-Series Firewall

The following topics provide more information on user identity. Establishing User Identity Through Passive Authentication

VMware Horizon View Deployment

NetExtender for SSL-VPN

How to Configure a Client-to-Site L2TP/IPsec VPN

User Manual. SSV Remote Access Gateway. Web ConfigTool

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

Pre-Installation Recommendations... 1 Platform Compatibility... 1 New Features... 2 Known Issues... 2 Resolved Issues... 3 Troubleshooting...

SurePassID Local Agent Guide SurePassID Authentication Server 2016

Deploying F5 with Microsoft Active Directory Federation Services

Example - Configuring a Site-to-Site IPsec VPN Tunnel

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Deploying F5 with Microsoft Active Directory Federation Services

SonicWALL VPN with Win2K using IKE Prepared by SonicWALL, Inc. 05/01/2001

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Installing and Configuring vcloud Connector

Barracuda Link Balancer

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Realms and Identity Policies

VI. Corente Services Client

F5 WANJet 200. Quick Start Guide. Quick Start Overview

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

SonicWALL strongly recommends you follow these steps before installing Global VPN Client (GVC) 4.0.0:

vcloud Director Tenant Portal Guide vcloud Director 8.20

Configuring Dynamic VPN v2.0 Junos 10.4 and above

VPN2S. Handbook VPN VPN2S. Default Login Details. Firmware V1.12(ABLN.0)b9 Edition 1, 5/ LAN Port IP Address

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Identity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication

Load Balancing VMware Workspace Portal/Identity Manager

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Probe Service Board Module v1.0

Google Cloud VPN Interop Guide

vcloud Director User's Guide

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

How to Set Up External CA VPN Certificates

Fundamentals of Network Security v1.1 Scope and Sequence

How to Configure a Remote Management Tunnel for Barracuda NG Firewalls

Configuring the VPN Client

How to Configure Guest Access with the Ticketing System

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

NetConnect to GlobalProtect Migration Tech Note PAN-OS 4.1

Comodo One Software Version 3.8

CISCO EXAM QUESTIONS & ANSWERS

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Cisco VPN Software Client Installation Guide for RTP2 Beta-Test

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

BIG-IP Access Policy Manager : Visual Policy Editor. Version 12.1

Configuring Dynamic VPN

Proxy Protocol Support for Sophos UTM on AWS. Sophos XG Firewall How to Configure VPN Connections for Azure

Blue Coat Security First Steps. Solution for Integrating Authentication using IWA BCAAA

vcloud Director User's Guide

Blue Coat ProxySG First Steps Transparent Proxy Deployments SGOS 6.7

Configuration Guide Barracuda NG Firewall. TheGreenBow IPsec VPN Client. Written by: TheGreenBow TechSupport Team Company:

INBOUND AND OUTBOUND NAT

SonicWALL strongly recommends you follow these steps before installing Global VPN Client (GVC) 4.1.0:

Novell Access Manager

Configuration Guide SuperStack 3 Firewall L2TP/IPSec VPN Client

Quick Start Access Manager 3.1 SP5 January 2013

ASA Clientless SSL VPN (WebVPN) Troubleshooting Tech Note

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

Proxicast IPSec VPN Client Example

Cisco Cloud Web Security Troubleshooting Guide

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Installing and Configuring vcloud Connector

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

Web Security Service. Firewall/VPN Access Method Guide. Version /JAN

Agent and Agent Browser. Updated Friday, January 26, Autotask Corporation

Agility 2018 Hands-on Lab Guide. VDI the F5 Way. F5 Networks, Inc.

Web Security Service. Authentication Guide. Version /NOV

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Check Point Security Gateway

BIG-IP Access Policy Manager : Network Access. Version 13.0

WatchGuard System Manager Fireware Configuration Guide. WatchGuard Fireware Pro v8.1

Configuring a Palo Alto Firewall in AWS

Okta Integration Guide for Web Access Management with F5 BIG-IP

Sophos Firewall Configuring SSL VPN for Remote Access

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

SonicOS Enhanced Release Notes

Read the following information carefully, before you begin an upgrade.

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

MRD-310 MRD G Cellular Modem / Router Web configuration reference guide. Web configuration reference guide

Google Search Appliance

Reference Card: How to connect Windows 7 to UniWireless

VII. Corente Services SSL Client

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

Oracle Corente Services. Corente Services Administration Manual for Release 9.2

Load Balancing Sage X3 ERP. Deployment Guide v Copyright Loadbalancer.org, Inc

Gigaset Router / en / A31008-E105-B / cover_front_router.fm / s Be inspired

Virtual Tunnel Interface

BIG-IP TMOS : Implementations. Version

Remote Access via Cisco VPN Client

How to Setup Total Application Security

Remote Access VPN. Remote Access VPN Overview. Licensing Requirements for Remote Access VPN

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

TheGreenBow IPsec VPN Client. Configuration Guide STORMSHIELD. Website: Contact:

Integration Guide. Oracle Bare Metal BOVPN

Endian Proxy / Firewall

Transcription:

AT&T Cloud Web Security Service Troubleshooting Guide

Table of Contents 1 Summary... 3 2 Explicit Proxy Access Method... 4 2.1 Explicit Proxy Flow Diagram... 4 3 Proxy Forwarding Access Method... 6 3.1 Explicit Proxy Flow Diagram... 7 4 IPSec/VPN Access Method... 8 4.1 IPSec/VPN Flow Diagram... 9 5 Client Connector Access Method... 10 5.1 Client Connector Flow Diagram... 11 6 Auth Connector / SAML Authentication... 12 6.1 Authentication Flow Diagram... 13 2

1 Summary The purpose of this document is to describe the troubleshooting steps Cloud WSS customers need to take when experiencing service issues. These steps will assist customers in determining the root cause as well as escalating the issue to the proper supporting organization (internal or AT&T). There is a section for each access method and core functionality. Within each section, troubleshooting steps are grouped by testing category. In addition, each section includes a technical data flow diagram to assist troubleshooting. If the problem persists after using this troubleshooting guide, please contact AT&T MSS Help Desk 1-800-727-2222 Prompt 8,2 Managed.security@ems.att.com 3

2 Explicit Proxy Access Method Explicit Proxy Minimum Requirements Firewall Configuration TCP 8080 must be open on the firewall TCP 443 must be open (for SSL connections) Client proxy configuration o Explicit Proxy Destination proxy.threatpulse.com:8080 o Destination if using Pac Configuration https://portal.threatpulse.com/pac o Portal Configuration Define Location If using Auth Connector or SAML refer to the Auth Connector/SAML- Minimum Requirements section Refer to the Diagram below for the total Data Flow Trouble Shooting the Explicit Proxy Connection Method 1. Firewall 1.1 Is there an active Internet connection 1.2 telnet to proxy.threatpulse.com 8080 1.3 telnet to proxy.threatpulse.com 443 1.4 ping proxy.threatpulse.com (if ping is enabled) 2. Node Explicit Proxy 2.1. In Windows 2.1.1.1. open Internet Explorer 2.1.1.2. click on tools 2.1.2. click on Internet Options 2.1.3. click on Connections 2.1.4. click on LAN Settings 2.1.5. Click on the check box for Proxy Server 2.1.6. proxy.threatpulse.com and port 8080 2.1.7. click ok 2.1.8. Open the browser to demo.threatpulse.com to see if the computer is protected 3. PAC Configuration 3.1. In Windows 3.1.1.1. open Internet Explorer 3.1.1.2. click on tools 3.1.1.3. click on Internet Options 3.1.1.4. click on Connections 3.1.1.5. click on LAN Settings 3.1.1.6. Click on the check box for Proxy Server 3.1.1.7. Automatic Configuration put proxy.threatpulse.com/pac and port 8080 3.1.1.8. click ok 3.1.1.9. Open the browser to demo.threatpulse.com to see if the computer is protected 4. Portal Configuration 4.1. In browser go to portal.threatpulse.com 4.1.1.1. Log in with correct username and password 4.1.1.2. Click on Service 4.1.1.3. Click on Add Location 4.1.1.4. Add the location name 4.1.1.5. Choose the access method Explicit Proxy from the down arrow 4.1.1.6. Verify the IP/Subnet 4.1.1.7. If using SAML or Auth Connector make sure that Enable Captive Portal is checked 4.1.1.8. Verify Country and Time zone 4.1.1.9. If the information is correct, a green check mark will appear to the right of the screen under Status 4.1.1.10. Verify Bypassed Sites tab to make sure that the correct IP addresses are permitted or denied 4

2.1 Explicit Proxy Flow Diagram 5

3 Proxy Forwarding Access Method Proxy Forwarding Minimum Requirements Firewall Configuration (NBFW) o TCP 8080 must be open on the firewall o TCP 443 must be open (for SSL connections) o TCP 8443 (for trans NAT) Proxy SG forwarding configuration o Forwards to proxy.threatpulse.com:8080 Portal Configuration o Define Location (use Egress Address of NBFW) Troubleshooting 1. Firewall 1.1. Is there an active Internet connection 1.2. telnet to proxy.threatpulse.com 8080 1.3. telnet to proxy.threatpulse.com 443 1.4. ping proxy.threatpulse.com (if ping is enabled) 1.5. Verify that Port 8443 is enabled 2. Proxy SG 2.1. Open the Proxy SG browser interface https://1.1.1.1:8082 (use correct IP) and log in 2.1.1. Click on configuration 2.1.2. Click on Forwarding 2.1.3. Click on Forwarding Hosts 2.1.4. Is proxy.threatpulse.com there 2.1.5. Click on Default Sequence 2.1.6. Is proxy.threatpulse.com on the right side under Alias name? 2.1.7. Click on Statistics tab 2.1.8. Click on Health Monitoring to verify the health check Does it have a green OK? 3. Portal Configuration 3.1. In browser go to portal.threatpulse.com 3.1.1. Log in with correct username and password 3.1.2. Click on Service 3.1.3. Click on Add Location 3.1.4. Add the Location Name 3.1.5. Choose the access method Proxy Forwarding from the drop down arrow 3.1.6. Verify the IP/Subnet 3.1.7. Verify Country and Time zone 3.1.8. If the information is correct, a green check mark will appear to the right of the screen under Status 6

3.1 Proxy Forwarding Flow Diagram 7

4 IPSec/VPN Access Method IPsec Minimum Requirements Troubleshooting Firewall Configuration (NBFW) o Must use IPsec o Must originate from firewall o Must enable Port UDP 500 o Must use Main Mode Negotiations o Must use an Ip address as gateway o Must use Pre-Shared Key o Must define a Proxy Id Portal o Must have a Location Name o Must define Gateway Ip of Firewall (inside Location) o Must define Pre-Shared key (inside Location) o Can enable Captive Portal (inside Location) o Can Use Auth Connector or SAML (inside enable Captive Portal) If using Auth Connector or SAML refer to the Auth Connector/SAML- Minimum Requirements section 1. Firewall 1.1. Is there an active Internet connection 1.2. Is the firewall behind another firewall (Bluecoat will not accept NAT-Traversal) 1.3. Can a Bluecoat Load Balancer be pinged? (if ICMP is enabled) 1.4. How far does trace-route go? ( if the load balancer is not able to be pinged) 1.5. Phase 1 1.5.1. Is Bluecoat Cloud Load Balancer defined as Gateway? 1.5.2. Do the Phase 1 proposals match? 1.5.3. Does the Pre-Shared key match the Portal? 1.5.4. Is Dead Peer Detection enabled? (optional) 1.6. Phase 2 1.6.1. Is the correct tunnel defined? 1.6.2. Do the Phase 2 proposals match? 1.6.3. Is the Proxy Id defined? 1.6.4. Are SSL and HTTP defined in an active SA? 1.6.5. Is SSL and HTTP forwarded to the active tunnel? 8

4.1 IPSec/VPN Flow Diagram 9

5 Client Connector Access Method Client Connector Minimum Requirements Firewall Configuration (NBFW) o Allow TCP ports 443 Client Configuration o Must have an active Internet connection o Download/Install Client Connector to local machine Troubleshooting 1. Firewall (NBFW) 1.1. Is there an active Internet connection? 1.2. telnet to proxy.threatpulse.com 443 1.3. ping proxy.threatpulse.com (if ping is enabled) 2. Client Connector 2.1. Behind a Bluecoat Cloud Connection under the same account in the portal 2.1.1. Mouse over Bluecoat Icon on bottom right of the screen 2.1.2. Should be failed open (color white) 2.2. Not Behind a Bluecoat Cloud Connection method in the same account 2.2.1. Mouse over Bluecoat Icon on bottom right of the screen 2.2.2. Should not be failed open (color is blue) 2.3. Verify that the Client Connector is connected 2.4. Right mouse on Bluecoat Icon 2.5. Click Status 2.5.1. Is the Customer ID correct? 2.5.2. Are Local Services UP? 2.5.3. Is Network available? 2.5.4. Is the Connector status Connected to Threatpulse? 2.5.5. Is HTTPS-OK? 10

5.1 Client Connector Flow Diagram 11

6 Auth Connector / SAML Authentication Auth Connector /SAML Minimum Requirements Troubleshooting Firewall Configuration (NBFW) o Allow TCP port 443 through Egress Portal Configuration o Define Auth Connector/SAML o Cert must match server (if using SAML) o Under Location, / Captive Portal the subnet must be defined (if using SAML) Server Configuration Must use Active Directory Internal Ip Must be reachable by Client machine as defined in Portal (if using SAML) Cert must match Portal Cert (if using SAML) IDP listens on 8443 (if using SAML) o Traffic must be allowed to this host locally on this port Auth Connector/SAML can be used with Explicit and Ipsec Access Methods 1. Firewall 1.1. Is there an active Internet connection? 1.1. telnet to proxy.threatpulse.com 443 1.2. ping proxy.threatpulse.com (if ping is enabled) 2. Portal Side Configuration for Auth Connector or SAML 2.1. Log into Portal.threatpulse.com 2.1.1. Click on Service 2.1.2. Click on Authentication 2.1.3. Click Auth Connector 2.1.4. Is Auth Connector Status Green? 3. If using SAML 3.1. Follow the previous Steps 2.1 through 2.1.2. 3.2. Click SAML 3.2.1. Under Endpoint URL: the address should look as follows: http://192.168.1.1/bcca/saml/idp (The internal non routed IP of the server with Active directory) 3.2.2. Does the Cert defined in Signing Certificate Chains match the cert on the Active Directory Server? 3.2.3. Is Auth Connector Status Green? 4. Server Side Configuration 4.1. Services 4.1.1. Click on Start, All Programs Administrative Tools, Services 4.1.1.1. Click on Blue Coat Auth Connector 4.1.1.2. Are Blue Coat Auth services running (under status started)? 4.1.1.3. If not, click Start or Restart (to start or restart services) 4.2. Event Logs 4.2.1. Click on Start, All Programs Administrative Tools, Event Viewer 4.2.2. Click on Windows Logs, Application 4.2.3. Click refresh and view the top BCCA log 4.2.3.1. Does it show connected to the user Id? 4.2.3.2. If it does not show connected, Why does it show that it fails? (what is the error) 4.2.3.3. 4.3. Is Active Directory working correctly? 4.4. Is the internal Ip address of the server directly reachable by the client machine? (if using SAML) 12

6.1 Auth Connector / SAML Flow Diagram 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback