Support Center > Search Results > SecureKnowledge Details
Client ignores redirect of HTTPS connections to Identity Awareness Captive Portal Technical Level
Symptoms
  • Client ignores redirect of HTTPS connections to Identity Awareness Captive Portal:

    1. Security Gateway is configured as Non-Transparent Proxy.
    2. HTTPS connection is initiated by the client and is intercepted by Captive Portal redirect.
    3. Traffic capture on Security Gateway and on the client shows that Security Gateway sends HTTP "307 Temporary Redirect" code, client receives it, but does not act on it (client does not open a new connection to handle the redirect).
    4. As a result, client browser cannot display the page.
  • HTTP connections through Security Gateway in Non-Transparent Proxy mode work correctly.

  • If Security Gateway is configured in Transparent Proxy mode, then HTTPS connections work correctly.

Cause

This is a browser limitation that exists in most of major browsers - the browser ignores the HTTP "307 Temporary Redirect" code due to the initial connection being HTTPS (this behavior is due to a vulnerability that was discovered in the past).

More details can be found, for example, in http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf (Chapter III, B. Redirecting Script Requests to Malicious HTTPS Websites).


Solution
Note: To view this solution you need to Sign In .