search cancel

After Upgrading to SGOS 6.7.4 and Configuring HTTPS Forward Proxy, Some Sites that were Allowed in 6.7.3 are Now Denied


Article ID: 174726


Updated On:


Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


After upgrading to a version of SGOS 6.7.4 with ssl.forward_proxy(https) configured in policy, some sites that users were allowed to access before the upgrade are now denied.


In 6.7.4, when ssl.forward_proxy(https) is configured in policy, some force_deny and force_exception policy rules might deny requests that were allowed in earlier versions of SGOS. 

These requests are denied because the following happens when the ProxySG appliance evaluates policy:

  1. The ProxySG appliance intercepts SSL connections using HTTPS forward proxy.
  2. The appliance evaluates a policy condition that requires information from an HTTP request; however, during SSL interception, HTTP request information is unavailable.
  3. Because the appliance cannot retrieve the HTTP request information, it enforces the force_deny or force_exception rule.

In previous versions, the policy condition was not evaluated during SSL.


The following is an example of policy that allows requests from Chrome in SGOS 6.7.3 and earlier, but denies them in SGOS 6.7.4.


   request.header.User-Agent.substring="Chrome" allow



To prevent HTTP requests from being denied unintentionally, add a guard to policy layers that have force_deny or force_exception rules for HTTP request conditions. The guard ensures the layer is not evaluated during SSL interception. The following is an example of a guard:

Note: These rules are still evaluated while the ProxySG appliance processes the HTTPS request inside SSL.


  <proxy> client.protocol=!ssl
      request.header.User-Agent.substring="Chrome" allow