SSL Interception on Edge SWG (ProxySG) based on User-Agent
search cancel

SSL Interception on Edge SWG (ProxySG) based on User-Agent

book

Article ID: 176297

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

When SSL interception policy is configured on the ProxySG, it performs what functionally is a Man-in-the-Middle attack on the SSL circuit.  Without importing the certificate the ProxySG is using to do this into the browser / application, the connection will be closed from client-side by the application since it is interpreting this process as a network attack.  In most browsers you can import your own SSL certificates; however many other applications were not designed with this feature in mind and have a hard coded SSL certificate trust chain.  For those applications SSL interception must be disabled.

Cause

Lack of ability to import SSL certificates into the client-side application.
 

Resolution

In Explicit deployments, since the CONNECT must be sent to the proxy before the SSL handshake is done with the destination, the proxy is always able to detect the User-Agent header (if such a header exists) within either the CONNECT or GET request.  As such it is possible to deduce the application.  Some applications will not have a User-Agent header;  in those circumstances you could design policy around SSL intercepting only known User-Agents, like so:

define condition KnownBrowsersIntercept
    ;;Chrome
    http.connect.User-Agent.regex="Gecko\) Chrome/\d+(\.\d+)+ Safari/\d+(\.\d+)+$"
    ;;Firefox
    http.connect.User-Agent.regex="^Mozilla/\d+\..*Firefox/\d+\.\w+\.*\d*\.*\d*( \(\s*.NET CLR.*\)|)$"
    ;;Internet Explorer
    http.connect.User-Agent.regex="((?-i)MSIE [1-9]0?.\d+; Windows [^PC].*(\w\w-\w\w|P|T|U|;\s*|\d\w|\d(?<!WP\d))\)$)|(^Mozilla/\d+\.0 \(.*Trident/7.*rv:11.*\).*)"
    ;;Microsoft Edge
    http.connect.User-Agent.regex="^Mozilla/\d+\.0 \(Windows (Phone|NT).*\) AppleWebKit.*Chrome.*Safari.*Edge/\d+.*"
    ;;Netscape
    http.connect.User-Agent.regex="(^Mozilla/[234][^\(]*\([^c].*\)$)|(^Mozilla/5\.0[^\(]*\([^c].*Netscape[67]*/[6-9])|(^Mozilla/5\.0[^\(]*\([^c].*Navigator/9)"
    ;;Opera
    http.connect.User-Agent.regex="(^Opera[ /]\d+\..*)|(.*Opera[ /]\d+\.\d+( \[\w\w\])?$)"
    ;;Safari
    http.connect.User-Agent.regex="^Mozilla/[45]\.0 \((Windows|Macintosh|X11).*Version/\d+(\.\d+)* Safari/\d+(\.\d+)+$"
end condition KnownBrowsersIntercept
 
<ssl-intercept>
;;If User-Agent is not a known browser, do not SSL intercept
condition=!KnownBrowsersIntercept ssl.forward_proxy(no)

Powered by Wolken Software