With DRTR enabled, HTTPS requests on port 80 are not being tunneled when protocol detection is disabled and the url category is allowed

book

Article ID: 168726

calendar_today

Updated On:

Products

Asset Management Solution ProxySG Software - SGOS

Issue/Introduction

Starting in SGOS 6.5.7.5, access to secure HTTP (HTTPS) sites is denied although the sites are allowed via policy.

Cause

This issue is caused by a timing bug in policy evaluation in SGOS, under the following conditions:
  • The ProxySG appliance has DRTR enabled
  • The appliance has protocol detection disabled
  • User are trying to access the access HTTPS sites over the a non-standard port 80, such as port 80 instead of port 443

Resolution


 

Workaround

Install the following policy to force the appliance to TCP tunnel but detect the initial protocol and hand it off to the correct worker.
<ssl-intercept>
ssl.forward_proxy(no)

<proxy>
http.method=CONNECT url.port=80 detect_protocol(ssl,http)