UT 8.1 Internet Banking Issues (Commbank)

[DiGiT]

Hi Guys,


Sorry to be a nuisance, but this has me stumped.

I recently implemented UT 8.1 (free version with no paid apps) as the web-filter / spam-filter / firewall / awesome-thing for my work.

And it has been working like a charm, until I tried to log into my Internet banking to transfer some funds to a client.

It will let me browse the main page and will also bring up the user login page. But after I have entered the user name and password and click on the login button, the site will just sit there and try to load and eventually time out.

The bank website I am having trouble with is Commonwealth Bank of Australia commbank.com.au. But the login URL which doesnt work appears to be login.commbiz.commbank.com.au

I understand that UT doesn't filter any encrypted traffic, however I added the URL into the web & spam filters safe list, just to ensure nothing was being blocked.

I read in another thread that that it might of been due to the MTU being too high, I changed this from the default 1500 to 1496, this didn't fix the problem

My basic network layout is
TPLink ADSL2+ Modem/Router > UT 8.1 (Bridge Mode) > Switch > SBS2008 and computers.

I have removed the UT box from the network and the website is instantly accessible.

I have tried to play around with the packet filters, but honestly I'm not too competent in what I am doing, that's why I have come here for advice.

Tracert from home. The site works fine from here

C:\Users\user>tracert login.commbiz.commbank.com.au

Tracing route to login.commbiz.commbank.com.au [140.168.81.44]
over a maximum of 30 hops:

1 2 ms 1 ms 1 ms 192-168-1-1.tpgi.com.au [192.168.1.1]
2 31 ms 33 ms 31 ms cbr-trn-nor-bras3-lo-0.tpgi.com.au [10.20.20.221
]
3 34 ms 31 ms 33 ms cbr-trn-nor-csw1-port-channel-11.tpgi.com.au [20
2.7.173.25]
4 32 ms 34 ms 33 ms cbr-trn-nor-crt2-port-channel-3.tpgi.com.au [202
.7.162.73]
5 36 ms 36 ms 36 ms syd-nxg-men-crt1-ge-2-1-2.tpgi.com.au [202.7.162
.249]
6 59 ms 58 ms 60 ms 119.225.5.237
7 * * * Request timed out.
8 58 ms 58 ms 59 ms Bundle-Ether15.ken39.Sydney.telstra.net [165.228
.132.205]
9 50 ms 51 ms 50 ms Bundle-Ether6.ken-core4.Sydney.telstra.net [203.
50.6.145]
10 59 ms 60 ms 60 ms TenGigabitEthernet7-1.ken42.Sydney.telstra.net [
203.50.20.57]
11 46 ms 47 ms 50 ms common213.lnk.telstra.net [139.130.66.22]
12 59 ms 58 ms * 140.168.73.2
13 50 ms 50 ms 51 ms 140.168.81.44

Trace complete.



tracert from work, site will not load from here

Tue Feb 22 2011 22:15:58 GMT+1100 (AUS Eastern Daylight Time)
traceroute to login.commbiz.commbank.com.au (140.168.81.44), 30 hops max, 40 byte packets
1 192.168.0.1 (192.168.0.1) 0.524 ms 1.020 ms 1.330 ms
2 cbr-trn-nor-bras3-lo-0.tpgi.com.au (10.20.20.221) 31.500 ms 32.857 ms 33.947 ms
3 cbr-trn-nor-csw2-port-channel-11.tpgi.com.au (202.7.173.29) 35.049 ms 36.251 ms 37.290 ms
4 syd-pow-cla-crt1-pos-1-3.tpgi.com.au (202.7.162.61) 38.697 ms 40.440 ms 41.616 ms
5 syd-nxg-men-crt1-ge-2-1-2.tpgi.com.au (202.7.162.249) 46.716 ms 48.236 ms 48.237 ms
6 119.225.5.237 (119.225.5.237) 65.422 ms 65.524 ms 66.832 ms
7 * * *
8 Bundle-Ether15.ken39.Sydney.telstra.net (165.228.132.205) 43.676 ms 43.496 ms 43.510 ms
9 Bundle-Ether6.ken-core4.Sydney.telstra.net (203.50.6.145) 49.352 ms 48.891 ms 48.365 ms
10 TenGigabitEthernet7-1.ken42.Sydney.telstra.net (203.50.20.57) 41.753 ms 41.867 ms 42.019 ms
11 * common213.lnk.telstra.net (139.130.66.22) 51.862 ms 52.606 ms
12 140.168.73.2 (140.168.73.2) 42.028 ms 42.757 ms 42.112 ms
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Tue Feb 22 22:16:17 EST 2011 - Test Complete!

Does anybody have any ideas, I have searched the forums and found some threads but they have not helped me.

Any help will be greatly appreciated.

Regards,
Daniel

[DiGiT]

Anyone have any ideas?

These threads havent really been much help to me.

forums.untangle(dot)com/networking/11001-why-untangle-blocking-internet-banking.html

forums.untangle(dot)com/networking/7211-untangle-conflict-secure-banking.html

[jcoehoorn]

This can happen if you choose to block IP-only traffic. The https request that handles the authentication for your bank shows up to untangle without a domain name, and so it blocked. This will stop many other sites that require authentication from working as well. You have to be careful with that option.

[DiGiT]

Ive already got "Block pages from IP only hosts" turned off in webfilter lite. Or is there another option I am not seeing.

[DiGiT]

Anybody able to think of anything else, I need to get this working...

Could it be someting as simple as forwarding https traffic 443? Ive moved UT remote admin service to another port.

But I am unclear of how to setup the rule to forward https traffic... Is anyone able to help me in setting this up?

[jcoffin]

I would try turning all the apps off and try to connection. If you succeed, try turning on one app at a time until it fails to connect. At least you'll know what's blocking it.

[DiGiT]

Thanks for your response,

I have turned off all the apps however it still does not work.

If i remove UT from the network it works fine. At the moment I have setup a PC connected directy to the ADSL2 modem/router to have a work around for the time being.

But whenever untangle is bridged into the network even with all the apps turned off. The site still hangs and eventually times out.

[sky-knight]

That usually means the site is doing something that is in violation of RFC standards. You can try bypassing traffic bound for the site.

[DiGiT]

Hi sky-knight,

Where should I add the bypass? I have added the domain and all known subdomains to the passlists in webfilter and spyware filter without any success.

Is there another option to configure to allow the site to bypass untangle and the virtual machine and level?

[sky-knight]

Yes, config -> networking -> advanced -> bypass

You will need to get the IP address of the web server, and craft a rule to bypass all traffic bound to that address.

That will remove all traffic heading to that web server from UVM filtration. That really is the last thing to try... if it still doesn't work your bank has some work to do on their crap!