search cancel

After Upgrading to SGOS 6.7.4 and Configuring HTTPS Forward Proxy, Some Sites that were Allowed in 6.7.3 are Now Denied

book

Article ID: 174726

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

After upgrading to a version of SGOS 6.7.4 with ssl.forward_proxy(https) configured in policy, some sites that users were allowed to access before the upgrade are now denied.

Cause

In 6.7.4, when ssl.forward_proxy(https) is configured in policy, some force_deny and force_exception policy rules might deny requests that were allowed in earlier versions of SGOS. 

These requests are denied because the following happens when the ProxySG appliance evaluates policy:

  1. The ProxySG appliance intercepts SSL connections using HTTPS forward proxy.
  2. The appliance evaluates a policy condition that requires information from an HTTP request; however, during SSL interception, HTTP request information is unavailable.
  3. Because the appliance cannot retrieve the HTTP request information, it enforces the force_deny or force_exception rule.

In previous versions, the policy condition was not evaluated during SSL.

Example

The following is an example of policy that allows requests from Chrome in SGOS 6.7.3 and earlier, but denies them in SGOS 6.7.4.

  <ssl-intercept>
      ssl.forward_proxy(https)

  <proxy>
   request.header.User-Agent.substring="Chrome" allow
   force_deny

 

Resolution

To prevent HTTP requests from being denied unintentionally, add a guard to policy layers that have force_deny or force_exception rules for HTTP request conditions. The guard ensures the layer is not evaluated during SSL interception. The following is an example of a guard:

Note: These rules are still evaluated while the ProxySG appliance processes the HTTPS request inside SSL.

  <ssl-intercept>
     ssl.forward_proxy(https)

  <proxy> client.protocol=!ssl
      request.header.User-Agent.substring="Chrome" allow
      force_deny