Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 27 subscribers
  • Views 1309 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 18.04 Proxy and Internet sessions sloooooow with Web policy and Intercept X

Fred_B

I did not get the issue solved that random categories are blocked. I have unchecked matched users now and that solves the login SSO, STAS, recheck timeout login screen and also the random blocking of random categories. 

I tested with Web Policy Allow all and Default Workplace Policy and this works as expected. No more random blocking of categories. HTTP(S) scanning is still disabled. 

Problem is that this is not workable either with Web Policy Default Workplace Policy. Sometimes it works as expected and it will retreive pages quickly or present a correct category block page. But then it starts taking ages to establish a secure connection and eventually the attempt to retrieve the page will time out. Reloading can give the same result. Closing Chrome and retrying works at first but eventually it starts to slow again and time out.

We are also using Intercept X with category blocking as users are not always working in the office. Intercept X and XG are not aware of eachother. Intercept X should also be a XG Firewall client for SSO, STAS, authentication, logging, etcetera when connected via the LAN behind the XG. But this is currently not the case. 

To make it workable I need to disable the web policy and Allow All. 

 



This thread was automatically locked due to age.

Top Replies

  • in reply to emmosophos +1 verified

    I believe I may have found the cause.

    There was a WMI performance issue on the AD DC due to a large security event log size. I backuped the event log, reduced the event log size and cleared the event log to start fresh this morning. Sofar there has not been any random blocking of categories.

    So it seems the XG does not handle a STAS / WMI time out very well. In such cases with Proxy server, matched users enabled and:
    - “Use web authentication for unknown user” enabled it should present the user portal immediately and not a blocked category message;
    - “Use web authentication for unknown user” disabled it should present a general (error) message that internet access is blocked and not a blocked category message.

    I have enabled now http(s) scanning and decrypting and I am tested that now.

    Regards,

    Fred

    Jump to answer
Parents Reply Children