When the "Enable SSL interception with automatic protocol detection" SSL interception option is selected in SGOS 6, why is a URL with a path like https://www.bluecoat.com/support-services denied?
Article ID: 168702
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
When performing SSL interception, two of the available options are:
-
Enable HTTPS interception
-
Enable SSL interception with automatic protocol detection
If you would like to allow https://www.bluecoat.com/support-services, and at the same time deny https://www.bluecoat.com, select the second option above, and use the following policy:
<ssl-intercept>
ssl.forward_proxy(yes) detect_protocol(all) ssl.forward_proxy.issuer_keyring(default)
<ssl>
ALLOW server_url.domain=//www.bluecoat.com/support-services
DENY url.domain=//www.bluecoat.com/
The URL https://www.bluecoat.com/support-services will be denied.
However if you select the first option ("Enable HTTPS interception") and use the policy above, browsing to https://www.bluecoat.com/support-services will be allowed, which is expected.
Resolution
The reason is, when you select the second option, the ProxySG appliance will use this URL:
"ssl://www.bluecoat.com:443/"
​first to evaluate against the policy, before sending the actual URL: https://www.bluecoat.com/support-services.
When you select the first option ("Enable HTTPS interception"), the actual URL request: https://www.bluecoat.com/support-services was sent first to evaluate the policy.
Feedback
Yes
No
Powered by
