Failure to authenticate a tunneled SSL request

book

Article ID: 165760

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

In troubleshooting authentication issues, you may find the following error in a policy trace:

EXCEPTION(configuration_error): Authentication failed because of a configuration problem
Last Error: Failure to authenticate a tunneled SSL request. This is typically caused when authentication policy is applied to tunneled SSL connections.

Please contact your network administrator to either exempt tunneled SSL traffic from authentication or to create suitable SSL interception policy for first intercepting SSL connections as HTTPS and then authenticating them.


 

Cause

This exception page is issued in cases where proxy is unable to issue an authentication challenge within an encrypted session, because the proxy is not decrypting that session.

Resolution

Because authentication challenges cannot be injected into an encrypted exchange, authentication must be bypassed for the URL. There are several methods to achieve this:

  1.  Use a Regular expression in policy to match the do not authenticate rule. NOTE: Regex rules may use more resources to process
    1. Via CPL:
Add the following to the CPL local policy file:

<Proxy>
 url.regex="ssl://" authenticate(no)

  1. Use the VPM to define a rule based on the ssl:// prefix on the Web Authentication layer:

Under Destination right-click > Set > New > Request URL > Select Regular Expression Match > add ssl:// > OK > click Install Policy

  1. Create a rule to only authenticate requests where the scheme is HTTP or HTTPS, this will prevent tunneled traffic from matching
    1. Find your rule which is currently configured to trigger authentication
    2. Right-click destination -> Set -> New -> Combined Destination Object
    3. Click New ->Request URL Object
    4. Give the Object a name 
    5. Then Click Advanced Match and change Scheme to HTTP and Click Add (Then do the same for HTTPS)

User-added image

                 F. Once both objects are created, select each object and click Add to add the objects to the top right box

User-added image
 
Your rule should appear as follows:
 
User-added image

Attachments