Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

InterScan Web Security as a Service (IWSaaS) 3.0 users are being connected to the wrong data center

    • Updated:
    • 25 Jun 2019
    • Product/Version:
    • InterScan Web Security as a Service 3.0
    • Platform:
    • N/A N/A
Summary

Sometimes, IWSaaS 3.0 users connect to a data center which is not what they would expect since it is located in a different region from the one where they are.

Most cases reflect the following scenarios:

  • The diagnose page shows that the client connects to a data center which is not as expected.
  • When using IWSaaS, the web page language is not as expected.
  • When using IWSaaS, some applications cannot be used because they only can be used in a specific region.
Details
Public
  • The global FQDN “proxy.iws-hybrid.trendmicro.com” uses the AWS Geo Location policy, which is determined by the client's resolver IP rather than the client's IP.
  • Using the client's resolver IP to determine the location can sometimes be problematic since the client might use a DNS resolver which is located far away from the actual client's location.
  • Additionally, AWS Route 53 service supports the EDNS client subnet function; in this extension, DNS queries will carry the client's IP subnet information. If your end users' DNS resolvers support this extension, then the Route 53 service would be able to determine the client's location more accurately.
  • This is potentially one reason for which, when using Google DNS, the Route 53 geo-location policy can re-direct the customer to the correct location. You can refer to this Amazon Route 53 Forum Announcement for more details on EDNS-client-subnet

To confirm this behavior, we will need customers to run the following commands at the same time with a sleep time of 1 minute:

For Linux systems:

  • To get the current DNS' resolver IP

    dig +short resolver-identity.cloudfront.net 

  • To resolve our service FQDN proxy.iws-hybrid.trendmicro.com by the current DNS resolver

    dig +short +identify proxy.iws-hybrid.trendmicro.com

  • To check whether the current DNS resolver supports EDNS

    dig edns-client-sub.net TXT +short

For Windows systems:

  • nslookup resolver-identity.cloudfront.net
  • nslookup proxy.iws-hybrid.trendmicro.com
  • nslookup -type=txt edns-client-sub.net

For example:

In the following image, the client uses DNS 192.221.154.132. Since this IP address is in London, the proxy address is resolved to 52.56.127.241, which is the scanner instance in the London Data Center (DC).

However, in the following image, the client uses DNS 172.217.47.8. This IP is in India, so the proxy address is resolved to 13.126.23.129, which is the scanner instance in the India Data Center (DC).

This is why the customer sometimes goes to the London DC and sometimes to the India DC.

The IWSaaS team provides a Tool containing two scripts, to confirm the root cause:

  • For Windows systems: DNS_Resolver_Windows.bat
  • For Linux systems: DNS_Resolver_Linux.sh

Both scripts provide the same check functions:

  • Get the current DNS' resolver IP (Because the customer DNS' resolver IP may change).
  • Resolve our service's FQDN proxy.iws-hybrid.trendmicro.com by the current DNS resolver.
  • Check whether the current DNS resolver supports EDNS.

The scripts automatically get the above items 100 times and the interval is 1 minute, so it will last for about 100 minutes. If you do not want it to run for that long, you can stop it manually by pressing Ctrl + C.

Run the scripts when you find that the client connects to a region which is not expected; after running the scripts, you can collect the output files and send them over to Trend Micro for analysis.

 
The output file is in the current running directory: for Windows systems the file name is windows_output.txt, and for Linux systems the file name is linux_output.txt
  1. Use the IWSaaS regional FQDN.

    For example, if the customer is in India, they can use the FQDN “proxyst-as1.iws-hybrid.trendmicro.com”

  2. Use the DNS server which is in the same country as the user.
  3. Let the DNS Server support EDNS.
  4. Use the known recursive DNS providers who include ECS information in the DNS queries:

    • Google Public DNS
    • OpenDNS
Premium
Test Now
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
1122989
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.