Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

SSE Web Proxy Error Responses

  1. Last updated
  2. Save as PDF

Accessing websites through our SSE Cloud Service (Web Gateway) may sometimes result in block messages with the following status codes:

  • 403 Access denied
  • 500 Server Error
  • 502 Cannot connect

The following situations that can trigger a block:

  • High connection rate from SSE Proxy infrastructure (a MULTI-tenant cloud service where traffic from multiple customers and regions is seen on single IPs)
  • Geo-Location 
  • Generic IP blocking
  • Rule-based blocking
  • Reputation-based blocking

Troubleshooting Block Responses

You can contact Skyhigh Support for assistance for any of the actions listed below. Skyhigh recommends to contact the vendors or website administrators first. The Skyhigh Security team can then provide assistance or follow up as necessary.

  • High connection / rate limit blocks: These restrictions may trigger policies or controls from the destination firewall, leading to blocked access. Alternatively, the service might reject connection requests that exceed normal levels. If you are accessing services through an SSE Point of Presence (PoP), inform your business partners and suppliers that you are using a multi-tenant cloud service with a single, shared egress IP. This service might require the SSE network ranges to be put on a Firewall allow list. For details about the SSE IP addresses and ranges, see Allow IP Address Ranges for Points of Presence.
  • Geo-Location blocks: IP-based Geo-Location is the mapping of an IP address or MAC address to the real-world geographic location of a device or service. Skyhigh Security uses major Geo-Location vendors for mapping, they will be informed in time when we put new IP(s) online or apply changes where Geo-Location information needs to be updated. Nevertheless some database providers report incorrect country information, which results in a block action. In these cases, we suggest that customers work with their Geo-Location providers to validate the current database used.
  • IP / Rule-Based / Reputation blocks: If you're blocked or unable to access a website/resource through our SSE Web Proxy, it is usually a result of a policy of the destination vendor/site and could be caused by WAF (Web Application Firewall) rules, generic blocks on IP or any other security mechanism in place. In such cases destination vendor/host need to unblock or add white list rules on their  systems/services to allow access again.

Following information will help to underline the issue towards the provider/host as well as are the minimum requirements when a Service Request is raised with Skyhigh Security Support:

  1. Are you getting error on all the websites or specific websites/URLs? 
  2. What is the website/URL which is giving an error during access by users? 
  3. Screen shot of the error message as seen by the user. 
  4. What is the time since this is not working? 
  5. Egress IP from the user machine? 
    1. Use: https://www.whatismyip.com/ or https://ipchicken.com/ 
    2. Check the Egress IP from above using https://www.brightcloud.com/tools/url-ip-lookup.php  
  6. Open "About Skyhigh Client Proxy” and make a note of active proxy. Copy to clipboard and save information. 
  7. Browser HAR file 
    1. Press F12 
    2. Save as all HAR Content to a file 
  8. Wireshark Packet Capture from user machine 

If it becomes necessary to engage with Skyhigh Support, providing the above information will expedite the analysis. The SME will be able to advise whether direct contact from you, the account holder, could assist in collaborating with the third party. It is quite effective for third parties to hear directly from the user base, in addition to engaging with the multi-tenant service provider.

Workaround

  • Bypass the affected website(s) from being access via SSE Cloud

    • bypass on SCP policy or alternative client settings(browser settings or .pac or .wpad)