Not able to use detect_protocol.ssl(no) to bypass SSL Interception

book

Article ID: 167755

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You may already be using the CPL policy detect_protocol.ssl(no) to bypass certain sites from SSL interception.

Since SGOS 6.5, the SSL proxy is able to handle other protocols apart from HTTPS. (see the CPL Guide for more information on other protocols).

 

Environment

After upgrading to SGOS 6.5

Resolution

In order to bypass SSL Interception for certain sites, you can use ssl.forward_proxy(no) (within an SSL-Intercept layer) instead of detect_protocol.ssl(no) (within a Proxy layer). In the VPM, the CPL gesture ssl.forward_proxy(no) is called Disable SSL Interception.

If you wish to continue using detect_protocol.ssl(no) due to issues beyond SSL Interception (such as certificate look-up failure), update the CPL to:
<proxy>
detect_protocol [ssl,https](no)
Note: If ProxySG is running SGOS release 6.5.9.14, 6.5.9.15, 6.5.10.1 or 6.5.10.3 change 'detect_protocol [ssl,https](no)' to 'detect_protocol [ssl,https,sips,sip](no)'.  See article TECH246796 for more details.

As of SGOS version 6.5.5.1 and later, in the VPM, when setting the Disable SSL Detection Object to the "All Tunneled Traffic" option, it will automatically include the new HTTPS option as described above. However, this is not automatically added to existing policy upon an upgrade. You would need to manually set this object in policy to include the new HTTPS option.

Here are the steps for setting this object in the VPM:

  1. Go to the following in the management console: Configuration>Policy>Visual Policy Manager>click Launch.
  2. On a Web Access Layer, you can right-click in the Action field of a rule and select Set
  3. Click the New button and select Disable SSL Detection... (you will then see a dialog box as shown below)
  4. With the All Tunneled Traffic option selected (which will include HTTPS), click OK
  5. Click OK in the Set Action Object box
  6. Click Install Policy

      User-added image
 


 

Attachments