Users receive the error message below from the ProxySG when accessing HTTPS-based URLs. The issue is intermittent.

Appliance Error (configuration_error)

Failure to authenticate a tunneled SSL request. This is typically caused when authentication policy is applied to tunneled SSL connections.
Please contact your network administrator to either exempt tunneled SSL traffic from authentication or to create suitable SSL interception
policy for first intercepting SSL connections as HTTPS and then authenticating them.

For assistance, contact your network support team.

This is a common error message when using SSL interception on a ProxySG. When sites are exempted from SSL interception, the ProxySG is unable to challenge the user to authenticate because the data between the client and server is encrypted. The issue is intermittent in deployments where IP-based authentication surrogates are used, as the proxy will only attempt to authenticate requests for which it doesn't have a valid cached surrogate.

To correct this behavior, several things are required:

• Configure and use an SSL-based authentication realm for all authentication requests, per the steps in How to set up Transparent SSL Forward Proxy with Authentication
• Prevent the ProxySG from challenging unintercepted requests by configuring auth rules to work on a combined destination of HTTP and HTTPS schemes, by using advanced match in request url objects.

 Once done, the above configuration will still authenticate intercept traffic and no longer present users with the error exception.