Tunneled traffic using CONNECT is allowed when the destination port is not 443

book

Article ID: 167034

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Tunneled traffic using CONNECT request is allowed when the destination port is not 443. The traffic should be blocked if the destination port is not 443.

Resolution

If there is no matching policy in the Visual Policy Manager (VPM) or in the Local policy file, the ProxySG appliance enforces the default policy. For security reasons, whether the default policy is Deny or Allow, the appliance does not allow CONNECT on ports other than 443. 

If a matching policy rule exists in the VPM or Local policy file, the matching policy overrides the default policy action and changes the default behavior. If the configured policy rule allows the transaction, non-SSL traffic on ports other than 443 are allowed. 
 
To avoid this issue, add the following CPL code in your local policy file.
 
<Proxy> ;if url port is not 443 AND if the non-standard SSL port is not allowed, then deny 
DENY http.method=CONNECT url.port=!443 detect_protocol(none) 
 
To allow certain non-standard SSL tcp ports,  add an exception condition.
 
<Proxy> ;if url port is not 443 AND if the non-standard SSL port is not in allowed list, then deny 
DENY condition=!Allowed_non-standard_SSLport http.method=CONNECT url.port=!443 detect_protocol(none) 
define condition Allowed_non-standard_SSLport 
    url.domain=host1.domain1.tld url.port=1234 
    url.domain=host2.domain2.tld url.port=2345 
end