Community Forum

Resolved
0 votes
Guys

We are running clear OS 7.3 business edition in gateway mode. Proxy is set to non-transparent. We are not able to connect to a third party endpoint which is accessible via https through port 443. Here is what we tried so far.
<blockquote><ul>

Added the server name to the web proxy bypass section and added the same to the client machine's local proxy exception list (in Internet settings).
Added the server name to the Content Filter engine's Gray Sites list first, and then when it didnt help, to the Exception sites list.
</ul></blockquote>

The error we get when trying to reach endpoint via browser is
<blockquote>
server DNS address could not be found.
Try running Windows Network Diagnostics.
DNS_PROBE_FINISHED_NXDOMAIN</blockquote>

If we connect from another device that does not go through the clear OS gateway, the endpoint can be accessed just fine.

Any suggestions that we can try here. Is there any additional configuration where we can/should specify the specific port no 443?

Looking forward to your suggestions
Tuesday, July 11 2017, 12:25 AM
Share this post:
Responses (7)
  • Accepted Answer

    Thursday, July 13 2017, 12:01 PM - #Permalink
    Resolved
    0 votes
    Your dumps confirm all you've described and they look OK.

    The problem I have is that my googling always comes back to a DNS issue on the PC. Have you done anything in your firewall to restrict DNS lookups to udp:53, do blocking tcp:53? If so, please allow tcp:53. Another thing you can do is in your Windows box override the DNS server from using your ClearOS box to OpenVPN directly then checking if it works. Also have you tried another browser?
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, July 13 2017, 08:50 AM - #Permalink
    Resolved
    0 votes
    Praveen Kumar wrote:

    The filter and proxy report from the COS console is not very helpful, we see a bunch of "function item() { [native code] }" there.



    Discard my comment above, guys.. This was only an issue with IE.. On chrome, we able to see proper report...
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, July 13 2017, 06:49 AM - #Permalink
    Resolved
    0 votes
    Guys

    Thanks for your responses... Answers to the queries as below..

    From a windows client machine's ipconfig /all output, 192.168.0.1 is listed under DNS Servers. This is server running the COS as gateway.

    We have Multi WAN (two internet connections). However for each WAN interface, we have unchecked the "Automatic DNS Servers" checkbox. and we have specified OPENDNS servers for domain lookups under IP Settings | DNS. So the etc/resolv-peerdns.conf looks like


    # Generated by NetworkManager
    search lan.gateway
    nameserver 208.67.220.220
    nameserver 208.67.222.222


    Content of /etc/dnsmasq.d/dhcp.conf

    dhcp-option=enp2s0,1,255.255.255.0
    dhcp-option=enp2s0,28,192.168.0.255
    dhcp-option=enp2s0,3,192.168.0.1
    dhcp-option=enp2s0,6,192.168.0.1
    dhcp-range=enp2s0,192.168.0.100,192.168.0.254,12h
    read-ethers


    6th of July was when we first tried to set up access to this endpoint. Though we tried and rolled back different options since then, the one change that has remained is the addition of the server URL to the proxy server bypass list. Today we ran out of bandwidth limit as per our ISP's plan and while checking we could find that since the 6th of July there has been heavy bandwidth consumption (in the tune of 50-135 GB per day). This sure seems like some unwanted access. I have reverted back that proxy exception, but wondering why adding a proxy exception could lead to that. We have switched to the alternate ISP now and monitoring the usage. The filter and proxy report from the COS console is not very helpful, we see a bunch of "function item() { [native code] }" there.

    Looking forward to your thoughts...

    Sincerely
    Praveen
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 12 2017, 05:57 PM - #Permalink
    Resolved
    0 votes
    Nick is right in bringing up MultiWAN. If your DNS service does not allow for queries from your other ISP's connection (and most don't) then you may need to use a neutral DNS provider like Google (8.8.8.8, 8.8.4.4) or Level3 (with their permission at 4.2.2.1 and 4.2.2.2).

    The problem with multiwan is that if you statically set your AD DNS to use your upstream ISP for DNS resolution or if you set ClearOS to do the same and your communication to that DNS goes over the competing ISP's connection then you will get blocked.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 12 2017, 05:07 PM - #Permalink
    Resolved
    0 votes
    Googling the error message suggests a DNS problem and not a proxy problem. Which DNS servers is your workstation configured to use? From a Windows command prompt do a "ipconfig /all". While you are there you may as well also do an "ipconfig /flushdns".

    In ClearOS, what is the contents of /etc/resolv-peerdns.conf and /etc/dnsmasq.d/dhcp.conf and are you single or MultiWan?
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 11 2017, 11:08 PM - #Permalink
    Resolved
    0 votes
    Thanks for the response, Dave... Answer to your queries as follows..

    We are running proxy with content filter, so using port 8080 in the browsers proxy configuration
    The web service end point that we are having issue with, is a remote one.
    We have specified the end point server name in the bypass list of the clearOS proxy server and also on the local browser proxy configuration.

    if we try to access the end point from a mobile device that is not behind the proxy, we get the output fine.

    We also tried to bypass the proxy on one of the machines in the network by adding
    iptables -t nat -I PREROUTING -s 192.168.0.158 -j ACCEPT

    to the firewall.d/local script.

    With that we are able to access internet on that machine even after removing the local proxy configuration, however this specific endpoint is still not accessible. Getting the same DNS_PROBE_FINISHED_NXDOMAIN on the browser.

    And yea, other https sties just loads fine. is there any log file that we can look into for possible cues..

    Thanks in advance for your support..
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 11 2017, 03:44 PM - #Permalink
    Resolved
    0 votes
    When using the proxy server in non-transparent mode, you need to connect to the proxy using one of the two following ports:

    With Content Filter enabled and running: 8080
    Without Content Filter, just proxy: 3128

    If the endpoint exists on your network and should not go through the proxy to resolve then you should specify the exception in your browser's proxy configuration or PAC (Proxy AutoConfiguration) script. If the endpoint SHOULD go through the proxy by is not working then there may be an object that does not work well being proxied.

    Do all other regular HTTPS sites work?
    The reply is currently minimized Show
Your Reply