Web Security Service (WSS) group or user based rules are not working for HTTPS sites
searchcancel
Web Security Service (WSS) group or user based rules are not working for HTTPS sites
book
Article ID: 171451
calendar_today
Updated On: 10-01-2024
Products
Cloud Secure Web Gateway - Cloud SWGData Loss Prevention Cloud Detection Service for ICAP
Issue/Introduction
While creating a WSS Content Filtering policy rule based on an Active Directory group or username to block (or allow) a certain HTTPS site, the rule is not applying correctly. The HTTP (non-secure) version of the site works fine, but the policy rule to block (or allow) the HTTPS version of the same site does NOT work.
Cause
Verdict is not applied due to SSL Interception not working for this HTTPS site. The Web Security Service (WSS) needs to inspect the contents of the HTTPS traffic in order to correctly apply the policy rule that is based on user or group.
Resolution
Within the Web Security Service portal:
Make sure SSL Interception is enabled and the WSS Root CA certificate has been distributed to endpoints.
Check the configuration within the WSS portal (Policy > TLS/SSL Interception > TLS/SSL Interception Policy)
In Destinations, make sure the site is not exempted by URL, category, and IP/subnet
In Sources, make sure your location, user, subnet/IP or access method is not defined as an exemption
Additionally, check for any object defined under Policy > Threat Protection > Trusted Sources / Destinations
For any URL, IP or network object defined here, SSL interception will be effectively disabled, e.g. If you have subnet 172.16.0.0/16 defined under Trusted Sources all traffic coming from clients on this subnet will be exempted from inspection, therefore, breaking user or group based policies.