Does the ProxySG appliance intercept HTTPS if policy does not include an HTTPS Intercept layer?

book

Article ID: 167648

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You want to know, if the ProxySG appliance policy does not include an SSL Intercept layer:

  • Whether the appliance intercepts HTTPS
  • The default action on HTTPS traffic
  • Why you see a self-signed certificate when you browse to a secure site in a transparent proxy deployment

In SGOS 5.4 and later, the default behavior for HTTPS traffic is to Intercept on Exception. A valid SSL license is required.

Even if you do not have a SSL Intercept Layer in policy (or it is disabled), as long as the HTTPS Proxy Services are set to Intercept on port 443, the ProxySG appliance performs Intercept on Exception by default. Examples of exceptions include a policy denial, a certificate error, and an error with the SSL handshake.

A HTTP Interception on Exception object is used to intercept SSL traffic if there is an exception, such as a certificate error or policy denial. This differs from the HTTPS Interception object, which intercepts all HTTPS traffic.

HTTPS is not intercepted if the default policy is ALLOW.

Notes:
  • Set up and modify the certificate/keyring used for this feature in the Management Console (Configuration > Proxy Settings > SSL Proxy > Issuer Keyring).
  • To prevent intercepting all HTTPS traffic when policy includes an HTTPS Intercept layer, disable HTTPS Interception on specific HTTPS traffic or on all HTTPS traffic.