Errors accessing HTTPS (SSL) sites after enabling SSL interception in Cloud
search cancel

Errors accessing HTTPS (SSL) sites after enabling SSL interception in Cloud


Article ID: 165722


Updated On:


CDP Integration Server


With SSL enabled the cloud intercepts SSL request and in so doing there must be a trust established between the requesting workstation and the cloud, this is accomplished by downloading the cert on the SSL page in the portal (import to trusted root authority folder).  The trust established between the cloud and the workstation allows the cloud to access the secure site (on the users behalf) and establish an intermediary trust.

In some instances the requested https site (SSL) may detect that the request has been intercepted and disallow the connection.  One way the site determines this is by certificate pinning.  Cert pinning is the process of recognizing the host or service’s certificate when an attempted connection occurs.  Because there is a cert already identifying/associating both parties, any attempt to come in between the client and OCS is immediately recognized and the connection is refused.  To work around certificate pinning is to find out what domains are being looked at for the certificates and then exclude them from SSL interception.

Another method sites may use to prevent and protect against attacks is to allow access only from predefined IP addresses.  These predefined IP addresses are part of the web sites allowed addresses or ACL (access control list).  When an attempted connection occurs from a site that is not allowed by the ACL the request will go unacknowledged.  This will normally look like the browser could not reach the site and timeout.

Access issues could be caused by either one of the aforementioned scenarios.  In cases such as these we recommend you take these sites IP addresses and set an exception on your firewall to exclude from going through the IPSec tunnel and for other access methods add IP addresses to SSL bypass IP's list.