cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2075
Views
0
Helpful
4
Replies

Strategy for dealing with crl.verisign.com?

jeremyarcher
Beginner
Beginner

We have several systems on our network that utilize a hosted service to check gift card balances, etc.  These devices normally use a custom TCP port to access the hosted server w/o issue.

However, occasionally these devices attempt to verify the hosted provider's server's certificate and hit TCP 80 (which we redirect to our Ironport) by sending a request to Verisign's CRL servers.  This causes the Ironport to force an authentication requirement and causes the devices to fail.

Has anyone come up with a strat to deal with this?  There are too many addresses within Verisign's CRL server list to add manually (and querying the A records isn't possible).

I've tried manually bypassing auth for the following but it still fails 1/2 the time (until the terminal attempts to connect to one of the allowed systems).

verisign.com, verisign.com, .verisign.net, verisign.net, 199.7.80.0/24, 199.7.78.0/23, 199.7.48.0/20, 199.7.71.0/24, 199.7.72.0/22, 199.7.76.0/24, 199.16.80.0/20

Any ideas of a better way to approach this?

4 Replies 4

jeremyarcher
Beginner
Beginner

For now, I've created the following custom URL catagory based off the ARIN list of ALL Verisign addresses.

I'll report back if it helps resolve the issue.

199.16.80.0/20,   199.7.48.0/20,   192.55.83.0/24,   192.58.128.0/24,   192.26.92.0/24,   192.31.80.0/24,   192.42.93.0/24,   192.43.172.0/24,   192.5.6.0/24,   192.35.51.0/24,   192.33.14.0/24,   192.54.112.0/24,   192.41.162.0/24,   192.52.178.0/24,   192.12.94.0/24,   192.48.79.0/24

Working on something similar and came across this list from Symantec -

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO11288&actp=search&viewlocale=en_US

Hope this help. Can you confirm the only traffic seen outbound from a client was across TCP 80 (http)?

 

 

Thanks!  How did this work out for you?  We're still struggling with the issue occasionally.

 

Unfortunately, I've noticed the link is no longer working properly.

 

Ken Stieers
VIP Advisor VIP Advisor
VIP Advisor

Figure out what the user agent is for the app, and turn off auth for it instead of tracking down the ips on either end of the conversation...

Sent from Cisco Technical Support iPad App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers