How can I troubleshoot no redirect to the BSC login page?

Version 1

    Q: How can I troubleshoot no redirect to the BSC login page?

     

    A:

    1. Make sure the client is able to resolve DNS.

    The client must be able to resolve DNS in order to be redirected to the login page. From a cmd prompt of a client try pinging or performing an nslookup for www.google.com or www.yahoo.com to see if the fully qualified domain name resolves to an ip address.

     

    If you are unable to resolve DNS check the un-registered role to make sure DNS is allowed outgoing to any destination or to your specific dns server(s) (user roles>roles>click to edit un-registered role>policies).

     

    If you are allowing DNS outgoing in the un-registered role but you are still unable to resolve DNS, try statically configuring the DNS settings on the client for public DNS servers for example 4.2.2.1 and 4.2.2.2.


    If you are able to resolve DNS and get redirected to a login page after statically configuring the DNS settings on the client, check your DNS server or configure replacement DNS server ip addresses under network>protected or network managed>DHCP server.


    2. Check the list of HTTP/proxy ports to monitor under general>http.

    By default the BSC monitors requests to port 80 from clients in the un-registered role. If the client makes a request to a port other then 80 they will not be redirected to the login page. For example the client could have their home page set to an https page (443) or the clients browser could be configured for proxy utilizing another port. If that is the case add the ports comma seperated for example 80,443,8081 to the comma separated list of HTTP/proxy ports to monitor under general>http.

     


    3. Allow HTTP outgoing to the OCSP and CRL urls of your SSL certificate in the un-registered role.

    The default behavior of many of the browsers today for example Windows 7 with IE8 is if it cannot check the validity of the SSL certificate it considers it invalid. The unfortunate thing is the browser does not display a message or anything to indicate it could not validate the certificate it simply just doesn't display a page or displays a generic page cannot be displayed message. Before a client is authenticated they are placed in the un-registered role. By default the un-registered role only allows DNS outgoing therefore the browser is unable to check the validity of the certificate and doesn't redirect to the login page.

     

    If you go to web logins>ssl certificate on the right hand side you will see the properties of your certificate. There you should see the OCSP (Online Certificate Status Protocol) or CRL (Certificate Revocation List) urls. You may see one or both depending on the certificate. The browser uses these to check the validity of the certificate.

     

    Go to user roles>roles>click to edit the un-registered role>policies and allow HTTP to the OCSP and CRL urls. It is recommended you upgrade to a minimum of 6.5.1.03 before allowing HTTP to the urls as this software release introduces destination hostnames to account for the multiple ip addresses that may resolve to a host name.

     

    4. Adjust the seconds a client is allowed to hold the web server under general>http from a default value of 300 to 10.

    While clients are in the un-registered role the BSC's job is to redirect their port 80 requests and whatever other ports are being monitored under general>http>HTTP/proxy ports to monitor to the login page. Each client has multiple background processes running for example windows updates, antivirus updates, tool bars, etc that continually perform requests as they are unable to access these services in the un-registered role. Each one of these requests will by default hold onto the BSC's web server for 300 seconds. Adjusting this to 10 will free up web server resources in environments with many users in the un-registered role. It is recommended this setting be adjusted to 300 before an upgrade so that the status of the upgrade may be maintained but to adjust to 10 thereafter. You may be prompted to click here to apply after adjusting this setting. This will restart the web server. This will be non-intrusive to users on the system. They will not be dropped but you will be dropped for a brief moment from the secure web based administration console.