Why some HTTPS/SSL sites fails thru proxy using IE 8 & IE 9 even proxy is not Intercepting SSL traffic?


Article ID: 167633


Updated On:


ProxySG Software - SGOS



There is a process called Certificate Revocation, which IE appears to be validation for some HTTPs/SSL sites.
The PCAP shows, client closes the connection during SSL handshake just after server submits its certificate. This occurs because there is certificate revocation process starts for some of these sites/urls, and apparently it is failing authentication on proxy SG since the User-Agent is “Microsoft-CryptoAPI”.
You must bypass authentication for this user agent ““Microsoft-CryptoAPI”.
You can do it via VPM or CPL.
Using VPM
Start VPM -> Go to Web Authentication Layer -> Add a rule on the top -> select Source field -> right click & choose SET -> New -> Request Header -> choose User-agent from Header Name -> in the Header Regex field type “Microsoft-CryptoAPI” (without quotes) -> OK -> OK -> set action to “donot authenticate” -> Install policy
Using CPL:
1.       Launch and log into the Management Console on your ProxySG.  The URL for the Management Console is https://<ip.address.of.proxysg>:8082/ .
2.       Click on the Configuration tab > Policy > Policy files > Policy files tab. 
3.       There is an "Install policy" section where you can install policy from a local file, forward file, and central file.
4.       Select "Text Editor" from the drop down list to the right of "Install Local file from:" text.  Click on the Install button to the right of that drop down box.
5.       If this is a new proxy deployment, your local policy may be blank.  If this is an established proxy with local policy, scroll down to the bottom of the data contained in the text editor.
6.       Copy and paste the CPL text that you see below.  Click on the Install, OK, and Close buttons in that order.  Click on the Apply button.  Your new policy has been installed.
request.header.User-Agent=Microsoft-CryptoAPI authenticate(no)