ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

The ProxySG communicates with websites that are blocked even though client receives a "Access Denied (policy_denied)" response from the ProxySG

book

Article ID: 172144

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

1. Detect Protocol is enabled on the ProxySG for Explicit Deployment

2. Users receive "Access Denied (policy_denied)" from the ProxySG when the users make HTTPS requests to blocked websites. However, the ProxySG is attempting to connect to the servers.

Cause

HTTP Policy is applied after the SSL handshake between the ProxySG and the blocked websites is complete (step 2.). The ProxySG establishes SSL connection mainly for the purpose of fetching the server certificate. No requests from clients is passed to the server at this stage. Data transfer will only happen if the step no. 5 allows it.

The specific situation does not apply to HTTP traffic is because the traffic flow does not include the SSL Handshake or a need for certificate emulation.

Environment

When Detect Protocol is enabled, HTTPS traffic is forwarded to the SSL proxy for processing,  the brief SSL processing is:

1. Client sends "Client Hello" to Proxy, Proxy sends "Client Hello" to Website

2. Website sends "Server Hello" and "Server Certificate" to Proxy

3. Proxy sends "Server Hello" and "Server Certificate" to Client, or "Emulate Certificate" to Client if SSL Intercept is enabled

4. Client sends "HTTP Request" to Proxy over the SSL Connection

5. Proxy applies SSL Access and HTTP Policy to the traffic

 

Resolution

The only way to prevent the ProxySG to establish SSL Handshake with blocked websites is to disable Detect Protocol on the blocked websites, then HTTPS traffic will not be forwarded to the SSL proxy for processing.

Please note: When Detect Protocol is disabled, the HTTPS traffic will be processed by the HTTP proxy. The HTTP proxy is not able to handle HTTPS exception. Therefore, when users make HTTPS requests to blocked websites, they are blocked by the HTTP proxy, but they do not receive error message "Access Denied (policy_denied)" from the ProxySG. Instead, users see error message from browsers such as "The proxy server isn't responding", "The site can't be reached... ERR_CONNECTION_RESET", or "Secure Connection Failed".