Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2632
Views
0
Helpful
4
Replies

Strategy for dealing with crl.verisign.com?

jeremyarcher
Level 1
Level 1

‎02-17-2014 08:35 PM

We have several systems on our network that utilize a hosted service to check gift card balances, etc.  These devices normally use a custom TCP port to access the hosted server w/o issue.

However, occasionally these devices attempt to verify the hosted provider's server's certificate and hit TCP 80 (which we redirect to our Ironport) by sending a request to Verisign's CRL servers.  This causes the Ironport to force an authentication requirement and causes the devices to fail.

Has anyone come up with a strat to deal with this?  There are too many addresses within Verisign's CRL server list to add manually (and querying the A records isn't possible).

I've tried manually bypassing auth for the following but it still fails 1/2 the time (until the terminal attempts to connect to one of the allowed systems).

verisign.com, verisign.com, .verisign.net, verisign.net, 199.7.80.0/24, 199.7.78.0/23, 199.7.48.0/20, 199.7.71.0/24, 199.7.72.0/22, 199.7.76.0/24, 199.16.80.0/20

Any ideas of a better way to approach this?

Labels:
0 Helpful
4 Replies 4

jeremyarcher
Level 1
Level 1

‎02-17-2014 08:47 PM

For now, I've created the following custom URL catagory based off the ARIN list of ALL Verisign addresses.

I'll report back if it helps resolve the issue.

199.16.80.0/20,   199.7.48.0/20,   192.55.83.0/24,   192.58.128.0/24,   192.26.92.0/24,   192.31.80.0/24,   192.42.93.0/24,   192.43.172.0/24,   192.5.6.0/24,   192.35.51.0/24,   192.33.14.0/24,   192.54.112.0/24,   192.41.162.0/24,   192.52.178.0/24,   192.12.94.0/24,   192.48.79.0/24

0 Helpful

NOEL MELTON
Level 1
Level 1
In response to jeremyarcher

‎04-09-2014 08:35 AM

Working on something similar and came across this list from Symantec -

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO11288&actp=search&viewlocale=en_US

Hope this help. Can you confirm the only traffic seen outbound from a client was across TCP 80 (http)?

 

 

0 Helpful

jeremyarcher
Level 1
Level 1
In response to NOEL MELTON

‎10-06-2014 08:33 AM

Thanks!  How did this work out for you?  We're still struggling with the issue occasionally.

 

Unfortunately, I've noticed the link is no longer working properly.

 

0 Helpful

Ken Stieers
VIP
VIP

‎02-17-2014 09:27 PM

Figure out what the user agent is for the app, and turn off auth for it instead of tracking down the ips on either end of the conversation...

Sent from Cisco Technical Support iPad App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents