KB Article | Forcepoint Support

Problem Description

I am unable to load a site and/or the site is loading slowly when going through Content Gateway. What steps can I take to resolve this issue?

Resolution

There are a number of variables that can cause sites to load slowly or not load at all. Use the following steps to narrow the variables or find the root cause. Remember to test the site in question after every step.

If a few non-specific websites cannot be accessed, then check for DNS issues. End users may be receiving the following browser error: "Unknown host".   

If Using Transparent Proxy (WCCP):
 

  1.  Test the site in question by using explicit proxy.  If explicit proxy works, then check WCCP and WCG configurations.
  • In Internet Explorer, go to Tools > Internet Options > Connections Tab > LAN settings > Proxy Server to enable it.
  • Use the P1 interface IP for V-Series or the IP address of the Content Gateway.
  • Use port 8080.
  1. Disable caching, if enabled in Content Gateway Manager.
  • Go to Configure > Protocols > HTTP > Cacheability > HTTP Caching.
  1. Tunnel the site (by cert or URL) if using HTTPS redirection and the site is using HTTPS.
  • In the Content Gateway Manager, go to Configure > SSL > Incidents > Add Website tab.
  • After adding the website, you should see it listed under the 'Incident List' tab.
  • For more information on Tunneling for Specific Sites click here.
  1.  Add the site as a Static Bypass in the Content Gateway Manager.
  • Go to Configure > Networking > ARM > Static Bypass tab.
  • Enter in the source IP address  and destination IP address.
  • Click the Add and Apply buttons.
  1. If using a V-Series appliance, verify the WCCP access list (ACL) has deny parameters for the C and P interfaces to prevent network traffic loops. Example: 
ip access-list Redirect_List extended
deny ip host 192.168.1.1 any
deny ip host 192.168.1.2 any

 
  1. Create an ACL (Cisco Command Line) to exclude the workstation IP from WCCP to test the site in question.
  2. If the site is an SSL site, disable HTTPS and test to see if the site still loads.
  3. Check for any DNS issues. 
    • V-Series Appliances or OVA, versions 8.3-8.5+:
      1. SSH to the C interface of the appliance. 
      2. Log in with the admin password.
      3. Type diag
        • Type wget --module proxy --url <url-having-problems>
    •  V-Series Appliances only, versions 7.5-8.2
      1. Open the Appliance Manager.
      2. Navigate to Administration > Toolbox. 
      3. Click Launch Utility
      4. Select Module: Websense Content Gateway.
      5. Select Command: wget.
      6. Type URL: <url-having-problems>
      7. Click Run.
    • You can also determine other DNS issues by eliminating the use of internal DNS servers.  On the workstation you are testing with change the internal DNS servers to use open DNS. 
 
Open DNS IPs obtained from http://www.opendns.com:
 
208.67.222.222
208.67.220.220
  1. Verify Log Errors Only is selected in Content Gateway Manager. Go to Configure > Subsystems, Logging > General tab > Logging > Log Errors Only.
  2. In the Forcepoint Security Manager, test by disabling Content Categorization, Security Scanning and Advanced File scanning. Go to Settings > Scanning > Scanning Options.
  3. If the issue is related to a specific application or applet not loading, for example a Banking site application, then verify that the issue is not Java related.

 

If using Explicit Proxy:

  1. Disable proxy caching. Go to Configure > Protocols > HTTP > Cacheability > HTTP Caching.
  2. Tunnel the site (by cert or URL) if using HTTPS redirection and the site is using HTTPS.
  • Navigate to Configure > SSL > Incidents > Add Website.
  • After adding the website, ensure  it is listed under the 'Incident List' tab.
  1. Implement a proxy.pac file and create exceptions for the site in question within the file. Add the following lines to the file to enable bypassing based on certain criteria.

if ( isInNet ( host, "<IP ADDRESS>", "<MASK>" ) ) {return "DIRECT";}
IP Address and Mask can be used to specify an IP range
if ( shExpMatch (url, "*.example.com/*" ) ) {return "DIRECT";}

  1.  In Forcepoint Security Manager, test by disabling Content Categorization, Security Scanning and Advanced File scanning. Go to Settings > Scanning > Scanning Options.
  • If you are able to access the site, consider adding it to the Never Scan box under the Exceptions tab and re-enabling the scanning.
  1. If the issue is related to a specific application or applet not loading, for example a Banking site application, then verify that the issue is not Java related.

 

Article Feedback



Thank you for the feedback and comments.