Showing results for 
Search instead for 
Did you mean: 
Walkthrough Wednesdays

Troubleshooting TMS with proxies

Tery Le Febvere
Cisco Employee

When a client configured for explicit forward proxy  needs to access an HTTP/HTTPS site, it first sends an HTTP CONNECT  request to the configured HTTP proxy. This CONNECT request tells the  proxy that TMS is asking permission to connect directly to the  HTTP/HTTPS server, endpoint etc...

Below is a description of this process.

ip.addr==   TMS
ip.addr==   Proxy
ip.addr==  Endpoint
1. TCP Handshake between TMS and the Proxy

2. TMS sends the Proxy an HTTP CONNECT request.

3. The Proxy ACKs the CONNECT request.

4.  The proxy creates a TCP socket for the destination  GET HTTP/1.1\r\n  on port 80

5. The Proxy Denied the request since you are using a  browser that is not supported by one of the Proxy policies. What this  means? In this scenario the proxy scans for  UA (user agent ) within the  header hence is getting blocked by a policy or ACL of your proxy.

From the capture the UA is not the browser is TMS, look below:

User-Agent: TMS Http User Agent (compatible; MSIE 5.5; Windows NT 5.0)\r\n

Resulting in this (TCP/403)

The  Proxy may be blocking anything that is not IE Mozilla/5.0 (compatible;  MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR  3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba  UNTRUSTED/1.0

This is one of the scenarios there is  another scenario were the proxy challenge TMS for authentication  resulting in the same denied 403 since TMS/server does not know what to  do with a TCP response of 401/407 challenge. Basically TMS/server does  not send the credentials hence the Proxy blocks the request and the  results will be the same causing TMS to report "No http response" "No  SNMP response" after a (TCP/403) denied.


They  are 2 ways of deploying proxies 1 with and explicit connection 407 and 2  with a redirection (WCCP) 401 meaning no proxy setting requires in your  browser. Basically this means the client does not know there is a proxy  VS pushing all traffic to the proxy via IE, FireFox etc...

If I check the bypass proxy for local address,  will it work on a transparent proxy?


How to know when TMS is being challenge by authentication from a proxy?

In  WireShark filter http.response.code==401 you can see TMS is challenge  by authentication 401 NOT 407. But in this scenario it will not matter  because your proxy on that network is using some kind of redirection  like WCCP (Web Cache Protocol) hence it will denied access.

When  requests are being redirected to the Proxy transparently, the Proxy  must pretend to be the destination, since the client is unaware of the  existence of a proxy. On the contrary, if a request is explicitly sent  to the Proxy, the Proxy will respond with it's own IP information.

There are a few differences between explicit and transparent client HTTP requests:

1.  An explicit request has a destination IP address of the configured  proxy. A transparent request has a destination IP address of the  intended web server (DNS resolved by the client)

2. The URI for a transparent request does not contain the protocol with the host:
Transparent       GET / HTTP/1.1
Explicit     GET HTTP/1.1
Both will contain an HTTP Host header that specifies the DNS host


To fix this issue, I recommend the following options:

    1.    Creating a Policy on your Proxy that will allow any access to the inside network.
    2.    Creating a Policy that will allow all for TMS.
    3.    Creating a ACL in your router or ASA that will allow any incoming or outgoing traffic from host

Content for Community-Ad

Spotlight Awards 2021