When the "Enable SSL interception with automatic protocol detection" SSL interception option is selected in SGOS 6, why is a URL with a path like https://www.bluecoat.com/support-services denied?

book

Article ID: 168702

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

When performing SSL interception, two of the available options are:

  • Enable HTTPS interception

  • Enable SSL interception with automatic protocol detection

If you would like to allow https://www.bluecoat.com/support-services, and at the same time deny https://www.bluecoat.com, select the second option above, and use the following policy:
<ssl-intercept>
    ssl.forward_proxy(yes) detect_protocol(all) ssl.forward_proxy.issuer_keyring(default)

<ssl>
    ALLOW server_url.domain=//www.bluecoat.com/support-services
    DENY url.domain=//www.bluecoat.com/


The URL https://www.bluecoat.com/support-services will be denied.

However if you select the first option ("Enable HTTPS interception") and use the policy above, browsing to https://www.bluecoat.com/support-services will be allowed, which is expected.

Resolution

The reason is, when you select the second option, the ProxySG appliance will use this URL:

"ssl://www.bluecoat.com:443/"
​first to evaluate against the policy, before sending the actual URL: https://www.bluecoat.com/support-services.
 
When you select the first option ("Enable HTTPS interception"), the actual URL request: https://www.bluecoat.com/support-services was sent first to evaluate the policy.