Web categorization does not function when Web Isolation Platform's next-hop proxy intercepts SSL traffic

book

Article ID: 171650

calendar_today

Updated On:

Products

Web Isolation

Issue/Introduction

This instruction is relevant both for new customers and upgrading customers, only if your environment meets all of the following conditions:

  • Web Isolation Platform's next-hop proxy intercepts SSL traffic
  • Policy rules contain website categorization, i.e., URL Categories or Risk Levels
  • Web Isolation Platform is subscribed to the Symantec Global Intelligence Network (GIN)

Policy rule contains website categorization object (URL Categories or Risk Levels) and shows the following warning message (see attachment):

"Failed to access Symantec Global Intelligence Network (internal error: -2006)"

Cause

The secured communication between Symantec Threat Isolation Gateway (STIG) and Symantec Global Intelligence Network (GIN) is using a client certificate that must not be intercepted.

Resolution

Next-hop proxy must not intercept SSL for traffic that matches the following criteria:

  • Source: All Symantec Threat Isolation Gateways
  • Destination Hosts: webpulse.es.bluecoat.com, subscription.es.bluecoat.com

 

Specific instructions for ProxySG:

  1. Add the following rule to the SSL Intercept Layer:
  • Source: All Symantec Threat Isolation Gateways
  • Destination Hosts: webpulse.es.bluecoat.com, subscription.es.bluecoat.com
  • Action: Disable SSL Interception
  1. Add the following rule to the SSL Access Layer:
  • Source: All Symantec Threat Isolation Gateways
  • Destination Hosts: webpulse.es.bluecoat.com, subscription.es.bluecoat.com
  • Action: Disable server certificate validation

Attachments