Compatibility Modifications for IronPort Web Appliance and Pearson Computer-based Testing

Some modifications need to be made for the IronPort Web Appliance to work with Pearson computer-based testing.

Purpose of this document

The Cisco IronPort S-Series is a high-capacity web security appliance designed to combat spyware and other web-based threats. It is used by a number of school districts. Without modifications, IronPort will not work properly for schools that conduct Pearson computer-based testing. This document discusses what is known at this time about IronPort and the problems associated with computer-based testing.

Known problems
Test items can be corrupted or altered as they are downloaded by the Pearson TestNav client. TestNav is making an HTTP request to retrieve the binary file.
1. TestNav tries to decrypt the login item and fails. 2. It tries again to retrieve and decrypt the item from the server and fails. 3. It tries again to retrieve and fails for the third time before it errs out with an error 20019. (The

error can vary and come up as 20118 or Unable to Communicate with Testing Server, depending on whether it is an actual test item or the login item).
DeliveryFrame.getFileFromServer().Exception: javax.crypto.IllegalBlockSizeException: ECBMode::decryptFinal(byte[]) - Un-Padding - padding is corrupted URL:http://sample TimeOut Time:180000 **ERROR** DeliveryFrame::getLoginItemFromServer()javax.crypto.IllegalBlockSizeEx ception: ECBMode::decryptFinal(byte[]) - Un-Padding - padding is corrupted DeliveryFrame.init():Exception:java.lang.NullPointerException

Possible Solutions
The workaround for this issue is to clear the cache on the IronPort box. This allows TestNav to receive a fresh copy of the item from the server. One customer stated that they were able to resolve this problem by adding separate exception entries for the domains and IP address into IronPort. Another customer stated that they were able to resolve the problem by adding the domain names to the Proxy Bypass on all their IronPort devices. Note: Current domain names and protocol/ports are listed in the TestNav Technology Guidelines (for PearsonAccess customers) or the Infrastructure Guidelines (for eMS customers). Pearsons recommendation for proxies that cache items is 4 hours. The customer reported to us that IronPort defaults to 24 hours. It could be possible that IronPort is caching the item too long and this is somehow interfering with the decryption method. This is one theory. The main theory is that IronPort is altering the actual file downloaded. Note, however, that it is not happening on all items, just specific ones, and that the problem only lasts 24 hours.

Copyright 2008 by IronPort Systems, Inc. All rights reserved. Copyright 2009 TestNav is a trademark of Pearson Education, Inc. or its affiliate(s). All rights reserved.

Page 1 of 1