When the "Enable SSL interception with automatic protocol detection" SSL interception option is selected in SGOS 6, why is a URL with a path like https://www.bluecoat.com/support-services denied?

Article Id: 168702

Status: Published

Updated On: 26-09-2017 13:24

Legacy Id: TECH245391

Products:

ProxySG Software - SGOS

Issue/Introduction:

When performing SSL interception, two of the available options are:

Enable HTTPS interception
Enable SSL interception with automatic protocol detection

If you would like to allow https://www.bluecoat.com/support-services, and at the same time deny https://www.bluecoat.com, select the second option above, and use the following policy:

<ssl-intercept>
    ssl.forward_proxy(yes) detect_protocol(all) ssl.forward_proxy.issuer_keyring(default)

<ssl>
    ALLOW server_url.domain=//www.bluecoat.com/support-services
    DENY url.domain=//www.bluecoat.com/

The URL https://www.bluecoat.com/support-services will be denied.

However if you select the first option ("Enable HTTPS interception") and use the policy above, browsing to https://www.bluecoat.com/support-services will be allowed, which is expected.

Resolution:

The reason is, when you select the second option, the ProxySG appliance will use this URL:

"ssl://www.bluecoat.com:443/"

first to evaluate against the policy, before sending the actual URL: https://www.bluecoat.com/support-services.

When you select the first option ("Enable HTTPS interception"), the actual URL request: https://www.bluecoat.com/support-services was sent first to evaluate the policy.