Users are seeing this error  when connecting to HTTPS sites using CONNECT and Origin-Style Redirection or form redirect modes in explicit proxy.

• "Cannot use form authentication for CONNECT method (explicit proxy of https URL)"

This error occurs when authentication is done via a form redirect mode, and a workstation send a 'Connect' request to the proxy.

A connect request is how a browser, that is explicitly configured to use a proxy, asks to open secure connection on a port that isn't 80.

For example, typing in https://www.example.com in a browser would generate a request that looks like this : 

CONNECT www.example.com:443

By standard, it is not possible to redirect a 'Connect' request as this is a tunneled connection. Since this traffic is not being decrypted the proxy cannot access whatever is inside that tunnel, to send a redirect and point the browser to the authentication form.

NOTE: This is not a product limitation. Browsers, by design, do not follow redirects when the HTTP method used was 'Connect' for security reasons.

There are two possible solutions in order to resolve this issue:

1. Bypass authentication on the CONNECT method by adding the following code to the local policy file:

• <proxy>
  http.method=CONNECT  authenticate(no)

2.  Use "proxy" authentication mode, for example:

• <proxy>
  allow http.method=CONNECT authenticate.mode(proxy) authenticate(realmName)

If, after setting the above first solution, a "Cannot redirect an HTTPS request to an HTTP virtual URL" error message is thrown by the Edge SWG please go to SGOS admin console GUI "Configuration -> Authentication -> Realms and Domains". Edit the realm and make sure the realm property "Virtual URL" is set to "https://www.cfauth.com" and not (default) "www.cfauth.com".