In many networks, business-critical applications send traffic over port 80 because it is used as a generic route through the firewall. However, the ProxySG appliance HTTP proxy engine encounters problems when it receives non-HTTP requests from clients or browsers. The client receives an exception page and the connection closes.
The following deployment operations create this situation:
The ProxySG appliance provides an option that enables the HTTP proxy to tunnel the connection when it receives non-HTTP traffic or broken HTTP request. The transactions remain labeled as HTTP; therefore, the access logs and the Traffic Mix and Active Sessions Active statistics display TCP TUNNELED to indicate when a connection passed through the HTTP proxy engine.
For the SSL proxy engine, the Tunnel on Protocol Error option applies when non-SSL traffic arrives at the SSL port (443 by default). A common scenario that causes this is having peer-to-peer applications (Skype, viz, BitTorrent, Gnutella, older AOL-IM) configured to enable port 443 for peer-to-peer traffic without SSL set as the transport protocol. A ProxySG appliance transparently intercepting all 443 traffic cannot process these connections, rendering the application unusable.
This setting can only be configured globally in the following location in the Management Console:
Configuration > Proxy Settings > General > Tunnel on Protocol Error