With DRTR enabled, HTTPS requests on port 80 are not being tunneled when protocol detection is disabled and the url category is allowed
book
Article ID: 168726
calendar_today
Updated On:
Products
Asset Management Solution
ProxySG Software - SGOS
Issue/Introduction
Starting in SGOS 6.5.7.5, access to secure HTTP (HTTPS) sites is denied although the sites are allowed via policy.
Cause
This issue is caused by a timing bug in policy evaluation in SGOS, under the following conditions:
- The ProxySG appliance has DRTR enabled
- The appliance has protocol detection disabled
- User are trying to access the access HTTPS sites over the a non-standard port 80, such as port 80 instead of port 443
Resolution
Workaround
Install the following policy
to force the appliance to TCP tunnel but detect the initial protocol and hand it off to the correct worker.
<ssl-intercept>
ssl.forward_proxy(no)
<proxy>
http.method=CONNECT url.port=80 detect_protocol(ssl,http)
Feedback
thumb_up
Yes
thumb_down
No