cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3138
Views
0
Helpful
4
Replies

Strategy for dealing with crl.verisign.com?

jeremyarcher
Level 1
Level 1

We have several systems on our network that utilize a hosted service to check gift card balances, etc.  These devices normally use a custom TCP port to access the hosted server w/o issue.

However, occasionally these devices attempt to verify the hosted provider's server's certificate and hit TCP 80 (which we redirect to our Ironport) by sending a request to Verisign's CRL servers.  This causes the Ironport to force an authentication requirement and causes the devices to fail.

Has anyone come up with a strat to deal with this?  There are too many addresses within Verisign's CRL server list to add manually (and querying the A records isn't possible).

I've tried manually bypassing auth for the following but it still fails 1/2 the time (until the terminal attempts to connect to one of the allowed systems).

verisign.com, verisign.com, .verisign.net, verisign.net, 199.7.80.0/24, 199.7.78.0/23, 199.7.48.0/20, 199.7.71.0/24, 199.7.72.0/22, 199.7.76.0/24, 199.16.80.0/20

Any ideas of a better way to approach this?

4 Replies 4

jeremyarcher
Level 1
Level 1

For now, I've created the following custom URL catagory based off the ARIN list of ALL Verisign addresses.

I'll report back if it helps resolve the issue.

199.16.80.0/20,   199.7.48.0/20,   192.55.83.0/24,   192.58.128.0/24,   192.26.92.0/24,   192.31.80.0/24,   192.42.93.0/24,   192.43.172.0/24,   192.5.6.0/24,   192.35.51.0/24,   192.33.14.0/24,   192.54.112.0/24,   192.41.162.0/24,   192.52.178.0/24,   192.12.94.0/24,   192.48.79.0/24

Working on something similar and came across this list from Symantec -

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO11288&actp=search&viewlocale=en_US

Hope this help. Can you confirm the only traffic seen outbound from a client was across TCP 80 (http)?

 

 

Thanks!  How did this work out for you?  We're still struggling with the issue occasionally.

 

Unfortunately, I've noticed the link is no longer working properly.

 

Figure out what the user agent is for the app, and turn off auth for it instead of tracking down the ips on either end of the conversation...

Sent from Cisco Technical Support iPad App