Policy based on user-agent string does not match on all requests


Article ID: 166766


Updated On:


ProxySG Software - SGOS


The user-agent string of a given request can be read by the proxy and actioned during policy evaluation when the traffic can be analyzed in an unencrypted manner, and it conforms to a standard the proxy understands.  In the case of a transparently-deployed proxy and unencrypted SSL traffic, the proxy is only able to decode the TCP header of the request that provides client and destination IP addresses.  With an explicit proxy, rules based on the destination domain name can be used; however, as the user-agent string is encrypted within the request, the proxy cannot 'see' it to action it in policy.

In these cases, it's prudent to define policy based on the elements that can be controlled, such as destination server IP address, client IP address, or the server certificate presented by the site when the proxy makes initial contact.