Troubleshoot HTTP Forwarder

This table lists resolutions to issues you may encounter.

Issue

Resolution

Security Connector indicates that the provided explicit proxy port is already in use.

Make sure the provided port is not used for a DNS Forwarder or a transparent proxy configuration.

HTTP Forwarder cannot establish a connection

  • Review your HTTP Forwarder configuration. For more information on setting up HTTP Forwarder, see [Configure HTTP Forwarder](doc:configure-http-forwarder#configure-http-forwarder).
  • Confirm that your clients do not require IPv6 traffic.
  • If you have separate deployments of Security Connector on separate machines and one connector is a transparent proxy, while the other connector is an explicit proxy, confirm that the ports for each proxy do not overlap.

Traffic cannot reach ETP Proxy

  • Review the DNS name server configuration. If you’ve entered a corporate resolver or DNS server, make sure the corporate resolver or server is forwarding traffic to ETP. Otherwise, provide the IP addresses of the ETP DNS servers. To view the IP addresses of your ETP DNS servers, see [View DNS server information](doc:dns-forwarding#view-dns-server-information).
  • In your policies, confirm that ETP Proxy is enabled. If you’ve configured a transparent policy, verify the origin ports.

Policy associated with a sub-location is not applied

Make sure that any middlexbox between the client and Security Connector do the following:

  • Preserve client IP address or uses a routing mechanism that preserves the client IP address.
  • Adds the X-Forwarder-For (XFF) Header.
Also, confirm that the **Trust XFF Header** setting is enabled in the policy.

Internal domains do not bypass ETP Proxy from HTTP Forwarder.

Complete a health status check to make sure that the CAS backend service is running. For more information, see Troubleshoot health status failures and View Security Connector health status.


Did this page help you?