cannot connect to www.usps.com HTTP tranparent proxy and not transparent

[neuropharm]

on Version 2.2.6 then dist-upgrade Zentyal 2.2.7
Zentyal is our gateway firewall, DHCP, DNS & squid proxy

From the Zentyal Desktop we can access www.usps.com.
Not one computer behind Zentyal can access www.usps.com using transparent proxy and not using transparent proxy. But we can connect to www.prioritymail.com

When we had core 2.0 version last week, it worked. We had previously added /etc/ebox/hooks/firewall.postservice hook like this
        iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 80 -d usps.com. -j ACCEPT

I have this in place again now here /etc/zentyal/hooks/firewall.postservice
I can have this in place or not, does not make a difference.

www.usps.com will resolve and Firefox shows "connecting..." and never times out or receives any errors. The Browser title does not change for www.usps.com - When we go to holdmail.usps.com the browser title will change to "USPS.com - Hold Mail Service" but the page never loads. The URL in the address bar changed to https://holdmail.usps.com/holdmail/ Firefox status says "Transfering data from holdmail.usps.com..."
The visible page at holdmail.usps.com never shows up, I stopped the loading, and looked at the source of the page, the source looks complete enough with 1715 lines & proper closing HTML tag

For this file ( http://www.usps.com/ContentTemplates/images/global/usps_logo.gif )on the usps.com site, I see in the "Maintenance > Logs > HTTP Proxy " (when I have the transparent proxy enabled)
I see these details:
Event = Accepted
Bytes = 0
Mime/type = -



Please any advice/suggestions will be greatly appreciated.

Bless You



--Update
We are not using proxy in transparent mode.
there are a number of websites we are experiencing trouble with.
a similarity I see with the problematic connections is SSL
do.com
fonts.com

--------------------------------------------------
This is what I have installed
--------------------------------------------------
Component         Installed version
Bandwidth Monitor       2.2.5    
DHCP Service          2.2.1    
DNS Service          2.2.2    
Firewall                  2.2    
HTTP Proxy (Cache and Filter)2.2.5    
Intrusion Detection System    2.2.2    
Layer-7 Filter          2.2    
Monitor                  2.2.3    
NTP Service          2.2    
Network Configuration       2.2.7    
Network Objects               2.2    
Network Services       2.2    
Traffic Shaping               2.2.1    
Users and Groups       2.2.6    

[neuropharm]

we continue to hop along with limited access to to the Internet.

More and more we are finding problem connections. Finding them only when HTTPS/SSL is part of the connection.

We cannot get to the Amazon.com sign in page.  We cannot get to the vmware sign in page. my.vmware.com -

we can get to wellsfargo.com and sign in.

[christian]

It definitely deserves more investigation on your side and if possible more details.
As you may easily imagine, HTTPS is working for almost all Zentyal users here otherwise it would make it totally useless.
Thus goal now is to understand what's wrong on your side.

BTW, does it work if you don't use proxy but "direct" connection?

[neuropharm]

Thank you for your reply

It does not work with direction connection (UNLESS) I am on the desktop of the Zentyal Gateway machine using zenbuntu desktop and firefox, then I can connect to anything and everything.

As of Friday, I have the "Transparent Proxy" unchecked.

[christian]

Could you please elaborate a bit 
"it does not work", although I understand that it does not provide expected result, doesn't permit to drill down or even move in one or another direction 
do you get error message, time-out or anything else? Or do you mean it has exactly same behaviour with "no proxy" than what you already described (with lot of detail)?

BTW, did you try another browser? I suspect something wrong with your client more than with Zentyal.

I also don't understand why you have been obliged to add such iptables rule. Trust me, Zentyal is supposed to work out-of-the-box    unless you have very specific needs.

[neuropharm]

be glad to elaborate.

There are over 100 workstations that connect to the internet through this zentyal gateway. We are using most all current browsers (IE, FF, Chrome, Opera, Safari).

There is no "error"
 
Chrome will eventually show "This webpage is not available"
Firefox, & IE shows "Connecting...." in the Title, and the bottom status of firefox it says "connected to www.sitename.tld"

We are unable to notice any difference when the proxy is enable transparently or disabled transparently.

[christian]

Do I understand correctly when you say that adding FW rules to bypass proxy does not solve the issue?

[neuropharm]

Yes it does not make a difference

[christian]

Thus problem, if any, is not at (Squid) proxy level.
Perhaps packets dropped at FW level? have you defined multiple (external) gateways?

[neuropharm]

We have 4 external gateways
eth0,eth1,eth2,eth3 are PPPOE
eth4 is LAN

We are balancing traffic on these DSL connections

[christian]

  While asking I was almost convinced that answer would be "yes we have multiple GW" 
Is it feasible that you either activate only one GW or set up balancing rule (adding HTTPS service) so that all HTTPS flow goes through one single GW, at least for debugging purpose 

[neuropharm]

I can add a rule for a new HTTPS service to go out the default gateway for all users.

I have added this balance traffic rule now. So far, I see no improvement.

Correction, we have improved!

[christian]

   so much easy 

[neuropharm]

Your help is very greatly appreciated!
Is that it?
We have to limit all port 443 to just one of our gateways?

wondering why we did not have to limit port 443 with zentyal 2.0.4 to one gateway..

[christian]

Well.... if you balance encrypted session across multiple GW, knowing that key used for encryption is each time different, I wonder how it could work. But I might be wrong