How do I allow a single URL/website when the Edge SWG(ProxySG) appliance's default policy is set to Deny, or the URL category is denied?
search cancel

How do I allow a single URL/website when the Edge SWG(ProxySG) appliance's default policy is set to Deny, or the URL category is denied?

book

Article ID: 165966

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

When the Edge SWG(ProxySG) appliance's default policy is set to Deny, or if a specific URL category (such as social networking, news/media, audio/video) is blocked, allowing a single website doesn't work. You may experience issues such as the following:

  • users can access a website, but are unable to stream video on the website; the website URL is allowed in the Visual Policy Manager (VPM) and audio/video URL category is denied in policy
  • users can access a website, but some website content is missing; the website URL is allowed in the VPM and the news/media URL category is denied in policy
  • users can access a website, but some of the website content does not appear, or users cannot access the website at all (social networking URL category is denied in policy

Cause

Other origin content servers (OCSes) may provide content for a single URL. Different OCSes may provide images, CSS, JavaScript, and audio/video streams.

GET http://www.example.com/gen_204?attributionpartner=iCrackUriDevice%2Buser
Referer: http://www.example1.com/watch?v=Uisx5ytzgNA&feature=g-all-

Users experience the issue described above because the other OCS either matches with the appliance's default deny policy or the URL category is denied.

To capture policy trace and analyze effectively, refer to Article 166514.

Resolution

To allow the single URL/website when the appliance has a default deny policy or the URL category is denied in policy:

  1. In the VPM, go to the web access layer that allows the URL.
  2. In the Destination field, right click and select Edit.

    3. In the menu beside the Host field, select "Domain".
  3. Click "OK".
  4. Click "Add Rule".
  5. In the Source field, right click and select "Set".
  6. Select "New > Request Header".
  7. Specify the following:
    • Show: "All"
    • Header Name: "Referer"
    • Header Regex: "example"

  8. Click "OK" twice.
  9. In the Destination field, select "Any".
  10. In the Action field, select "Allow".
  11. Click "OK" twice, and install the policy.

If the appliance still blocks some of the contents

A policy trace might show that a new URL (having a previously referred OCS) is referring another OCS. For example, the following partial policy trace shows a third OCS for www.example.com:

GET http://o-o---preferred---sn-gvbxgn-tt1d---v19---lscache3.c.example.com/crossdomain.xml
Referer: http://s.example.com/yts/swfbin/watch_as3-vfl1ubMZd.swf

This third OCS must be allowed as well. Repeat the procedure above to allow the OCS, but in the Header Regex field, verify the referer header from the denied transaction in the policy trace. In this example, it is ytimg.

Note! This is applicable to any URL that is explicitly allowed in policy, and when the appliance has a default deny or URL category denied.

Powered by Wolken Software