Users cannot access certain HTTPS websites when SSL interception is enabled. They receive the error “Network Error (ssl_server_cert_untrusted_issuer)".
The ProxySG appliance has an internal trusted CA certificate list. If a web server has a certificate issued by a CA (Certificate Authority) that is unknown to the appliance, the appliance denies access by default.
To bypass this error, do one of the following:
Solution 1: Have the ProxySG appliance trust the CA
Use this solution only if you trust the CA. This solution also applies when users have an internal PKI server which issues certificates to internal websites. To add the CA to a trusted list, see Why is the browser showing error "Network Error (ssl_server_cert_untrusted_issuer)"?.
Solution 2: Disable SSL server certificate validation
Perform this solution using an SSL Access Layer in the Visual Policy Manager (VPM). In the SSL Access Layer, disable the “Untrusted Issuer” while keeping the other validations intact.
The equivalent policy in CPL is as follows:
url.domain=www.google.com server.certificate.validate(yes) server.certificate.validate.ignore(untrusted_issuer)
Solution 3: Tunnel the traffic
By forcing the traffic into a tunnel the proxy will not perform Server certificate verification. This is done differently if depending if the deployment is Explicit or Transparent