1. Detect Protocol is enabled on the ProxySG for Explicit Deployment
2. Users receive "Access Denied (policy_denied)" from the ProxySG when the users make HTTPS requests to blocked websites. However, the ProxySG is attempting to connect to the servers.
When Detect Protocol is enabled, HTTPS traffic is forwarded to the SSL proxy for processing, the brief SSL processing is:
1. Client sends "Client Hello" to Proxy, Proxy sends "Client Hello" to Website
2. Website sends "Server Hello" and "Server Certificate" to Proxy
3. Proxy sends "Server Hello" and "Server Certificate" to Client, or "Emulate Certificate" to Client if SSL Intercept is enabled
4. Client sends "HTTP Request" to Proxy over the SSL Connection
5. Proxy applies SSL Access and HTTP Policy to the traffic
HTTP Policy is applied after the SSL handshake between the ProxySG and the blocked websites is complete (step 2.). The ProxySG establishes SSL connection mainly for the purpose of fetching the server certificate. No requests from clients is passed to the server at this stage. Data transfer will only happen if the step no. 5 allows it.
The specific situation does not apply to HTTP traffic is because the traffic flow does not include the SSL Handshake or a need for certificate emulation.
The only way to prevent the ProxySG to establish SSL Handshake with blocked websites is to disable Detect Protocol on the blocked websites, then HTTPS traffic will not be forwarded to the SSL proxy for processing.
Please note: When Detect Protocol is disabled, the HTTPS traffic will be processed by the HTTP proxy. The HTTP proxy is not able to handle HTTPS exception. Therefore, when users make HTTPS requests to blocked websites, they are blocked by the HTTP proxy, but they do not receive error message "Access Denied (policy_denied)" from the ProxySG. Instead, users see error message from browsers such as "The proxy server isn't responding", "The site can't be reached... ERR_CONNECTION_RESET", or "Secure Connection Failed".