Error: "CONNECT to a port other than 443 (the default HTTPS port) is not permitted"

book

Article ID: 166814

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

The following error is encountered when connecting to websites with non-standard SSL ports and does not have other rules in the ProxySG/ASG that will match to allow non-standard ports to be forwarded:

Error:  CONNECT to a port other than 443 (the default HTTPS port) is not permitted
Error:  Your request attempted a CONNECT to a port <port_number> that is not permitted by default.
Error:  This is typically caused by an HTTPS URL that uses a port other than the default of 443.
Exception:  CONNECT_METHOD_DENIED

Configure ProxySG or Advanced Secure Gateway (ASG) to connect to non-standard SSL ports.

Cause

By default, ProxySG and ASG do not allow CONNECT methods to non-standard ports because it is considered a security risk.

Environment

Web servers are configured with non-standard SSL ports in an explicit environment.

Resolution

There may be instances where a known good web server is using a non-standard SSL port for SSL traffic; therefore the ProxySG or ASG can be configured to allow SSL connections to the non-standard SSL ports.

Here are ways to allow non-standard SSL ports:

1. If the site that is hosting the web server is using a non-standard SSL port, then bypass sending the proxy the request. If there is a PAC file, then create an exclusion so the web browser goes direct instead of to the proxy. For further information, please see Steps to create or edit a PAC file to use with ProxySG for additional details on modifying PAC files. If there is no PAC file, then manually enter an exception directly into the browser. Please refer to browser documentation for further details.

 

2. Add the following Content Policy Language (CPL) to the Local Policy File which allows a CONNECT request to be made to the host that uses a non-standard SSL port. For information on how to add CPL code to the Local Policy File, please see How do I add CPL to a local policy file on the ProxySG? Here is the sample policy:

;Allows the ProxySG to use the CONNECT method to a port other than port 443
<proxy>
http.method=CONNECT url.host=nonstandard-ssl-host.example.com url.port=<non-standard-port-number> ALLOW
;In the above example, replace nonstandard-ssl-host.example.com with the appropriate host.
;In the above example, replace <non-standard-port-number> with an actual number, such as 4443 or whatever port to override.


 
This can also be done using the Visual Policy Manager:

A. Create a new Web Access Layer. A new layer ensures that the policy change will not overwrite any existing policy decisions.
B. Set the Destination to be the Port for allowing non-443 CONNECT requests. Make it a Combined Destination Object if the site should be added as in the CPL example above.
C. In the Service column, choose Protocol Methods, select HTTP/HTTPS from the Protocol drop-down, and check the "CONNECT" option. Click OK.
D. Set the Action to Allow


 
3. Add CPL policy that allows CONNECT requests to any site on any port. NOTE: Symantec does not recommend allowing unrestricted CONNECT requests on any TCP port. The best way to work around the issue is to place an explicit exception as in solution #2 above; however, this solution is provided as is.

;Allows the ProxySG to use the CONNECT method on ANY TCP port. Not recommended.
<proxy>
http.method=CONNECT ALLOW

 

NOTE: Using the action "ALLOW" in policy rules grants the ProxySG or ASG the power to overrule its default security precaution of preventing access to site via non-standard SSL port. Apply the rule with caution (i.e. policy rule with only "ALLOW" action and no condition would set ProxySG or ASG to allow requests to connect to site through any destination port).