After upgrading to a version of SGOS 6.7.4 with
ssl.forward_proxy(https) configured in policy, some sites that users were allowed to access before the upgrade are now denied.
In 6.7.4, when
ssl.forward_proxy(https) is configured in policy, some
force_exception policy rules might deny requests that were allowed in earlier versions of SGOS.
These requests are denied because the following happens when the ProxySG appliance evaluates policy:
In previous versions, the policy condition was not evaluated during SSL.
The following is an example of policy that allows requests from Chrome in SGOS 6.7.3 and earlier, but denies them in SGOS 6.7.4.
To prevent HTTP requests from being denied unintentionally, add a guard to policy layers that have
force_exception rules for HTTP request conditions. The guard ensures the layer is not evaluated during SSL interception. The following is an example of a guard: