Applies to all Barracuda Web Filter appliances on all versions of firmware and all Web Security Gateways, when installed in an inline configuration.
The Web Security Agent is designed to disable itself when the WSA service starts behind an upstream Barracuda Web Filter or Web Security Gateway. This functionality helps prevent routing issues or DNS incompatibilities that may occur inside the network when the WSA attempts to forward traffic to the service host. Upon startup, the service will initiate a service test to determine whether or not the workstation is behind an upstream proxy. There are several circumstances where the WSA will attempt a service test; these are outlined in Solution #00006110. The service test will initiate the following sequence of events:
- The WSA will perform a DNS name resolution against http://servicetest.flex.barracuda.com and send a web request to the resolving IP.
- An upstream Web Filter or WSG will capture the request and apply a VIA header to the request before transmitting to the remote server.
- The remote server will detect whether or not the request has an appended VIA header and respond back informing the WSA of the detection.
- If the remote server responds back with a positive header detection, the WSA will disable. Otherwise, the WSA will forward traffic to the service host as normal.
Any disruption during this process will prevent the WSA from disabling. Perform the following to determine the exact cause of the failure:
- From the Windows command line, run nslookup against servicetest.flex.barracuda.com to verify that resolution is working properly. If resolution fails, this indicates DNS issues preventing the test from initiating. Please contact Barracuda Support for DNS troubleshooting.
- From your Barracuda Web Filter or Web Security Gateway configuration, locate the VIA header setting. On the Web Filter, this is located under Advanced>Proxy. On the WSG, the VIA header is configured from Configuration>Gateway>[gateway name]>Proxy/Caching. Confirm that the VIA header is enabled.
- Enable debug mode on the WSA client by referring to Solution #00006112. Find the WSATraffic.log file within C:\Windows\Temp and verify that requests to servicetest.flex.barracuda.com appear in the debug log.
- Download Wireshark and run a packet capture from the workstation experiencing the issue. Perform TCP analysis to verify that the workstation is forwarding packets to servicetest.flex.barracuda.com, and confirm that return traffic is being received from the remote server. Check the data in the TCP segment for the VIA header information similar to “Via: webfilter.example.com (http_scan_byf/3.3.1)”.
- If the VIA header does not exist, this may indicate that the traffic is circumventing the Web Filter or Web Security Gateway. On the Web Filter, perform a tcpdump from the Advanced>Troubleshooting page to confirm that the Web Filter is seeing traffic from the workstation. The tcpdump feature is not available on the WSG. Please contact Barracuda Support to verify traffic.
- Confirm that there are no IP exemptions within the configuration that include the resolved IP for servicetest.flex.barracuda.com, or for the IP of the originating workstation. An IP exemption will prevent the VIA header from being appended to the request. On the Web Filter, IP exemptions are configured on Block/Accept>IP Block/Exempt. On the WSG, this configuration is found at Configuration>Gateway>[gateway name]>Policy.
- Please contact Barracuda Support for any assistance with this troubleshooting process.
Link to this page:https://campus.barracuda.com/solution/501600000013XjwAAE