Can't access site only on VPN
Hi, people in my organisation require visiting a particular website for their job role. When we try and visit using machines in the office on the corporate network, no problem. However, the same website over the VPN isn't loading.
Accessing the site over HTTP in Chrome:
ERROR The requested URL could not be retrieved While trying to retrieve the URL: http://www.website.com/dcssplash/login.aspx The following error was encountered: Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. Your cache administrator is webmaster. Generated Tue, 19 Jan 2021 10:05:39 GMT by PROXY1-BusinessNet (squid/2.5.STABLE13-NT)
Using HTTPS in Chrome:
This site can’t be reached The webpage at https://www.website.com/dcssplash/login.aspx might be temporarily down or it may have moved permanently to a new web address. ERR_TUNNEL_CONNECTION_FAILED
I'm not sure if logging is set up properly on our system, because whenever I try and view the logging or reporting from the WSM I get an error message saying the log server could not be contacted, despite it being pingable. But then our password manager says "We no longer have shell access to this server. Any config changes would be done by Watchguard support.".
Anyway, without being able to view the logs, anyone have any idea how to tell which one of watchguard's many settings may be causing this issue?
Thanks a lot.
EDIT: I tried adding the SSLVPN-Users group into the from field of the default http-proxy. I added an exception to the WebBlocker being used, Pattern: .website.com/
I also added an exception in the body response code of the associated proxy action (I knew this wouldn't change anything, but I'm running out of things to try)
No changes have made any difference to VPN users trying to access this site.
Comments
re. logging - you can look at Traffic Monitor.
In WSM Firebox System Manager -> Traffic Monitor, one can select the Maximum Log Messages, which can be set to a max of 25,000
Is access to this site being done via a BOVPN from your firewall?
The HTTP access message "Access Denied." suggests that the access to this site needs to come from a specific subnet at your site.
Hi @RyanK
The firebox doesn't use squid, which is the open source proxy that generated that error message. Additionally, by default, traffic moving between sites on a BOVPN does so via a packet filter on the firebox.
I'd suggest asking if there is a squid server anywhere on the local or remote network that your traffic might be being sent thru.
-James Carson
WatchGuard Customer Support
Hi Bruce, thanks for your reply, sorry for the delay. I have checked the Traffic Monitor on the Firebox System Manager. I pinged the destination web address and put the ip address into the traffic monitor filter, but nothing came up. I put my own machine's IP address into the filter, nothing showing either.
I successfully got to the site from my machine in the office, but again, nothing appearing in the traffic monitor.
I went through the http proxy actions that the http proxy policy is using, and enabled logging everywhere I could find it.
I've had problems in the past and you've suggested traffic monitoring, but perhaps we have a problem with the setup as I can never find anything useful in there, whether it's for exe files that are being mysteriously blocked or in this instance either.
@James_Carson - Hi James, thanks for your reply, I will have a look into this and get back to you! That would certainly explain why I can't see anything in the traffic monitor!
The default for polices is to only log denies, proxy strips etc.
To see packets allowed by a policy in Traffic Monitor, you need to enable Logging on it.