SSL Interception on Edge SWG (ProxySG) based on User-Agent
search cancel

SSL Interception on Edge SWG (ProxySG) based on User-Agent


Article ID: 176297


Updated On:


Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


When SSL interception policy is configured on the ProxySG, it performs what functionally is a Man-in-the-Middle attack on the SSL circuit.  Without importing the certificate the ProxySG is using to do this into the browser / application, the connection will be closed from client-side by the application since it is interpreting this process as a network attack.  In most browsers you can import your own SSL certificates; however many other applications were not designed with this feature in mind and have a hard coded SSL certificate trust chain.  For those applications SSL interception must be disabled.


Lack of ability to import SSL certificates into the client-side application.


In Explicit deployments, since the CONNECT must be sent to the proxy before the SSL handshake is done with the destination, the proxy is always able to detect the User-Agent header (if such a header exists) within either the CONNECT or GET request.  As such it is possible to deduce the application.  Some applications will not have a User-Agent header;  in those circumstances you could design policy around SSL intercepting only known User-Agents, like so:

define condition KnownBrowsersIntercept
    http.connect.User-Agent.regex="Gecko\) Chrome/\d+(\.\d+)+ Safari/\d+(\.\d+)+$"
    http.connect.User-Agent.regex="^Mozilla/\d+\..*Firefox/\d+\.\w+\.*\d*\.*\d*( \(\s*.NET CLR.*\)|)$"
    ;;Internet Explorer
    http.connect.User-Agent.regex="((?-i)MSIE [1-9]0?.\d+; Windows [^PC].*(\w\w-\w\w|P|T|U|;\s*|\d\w|\d(?<!WP\d))\)$)|(^Mozilla/\d+\.0 \(.*Trident/7.*rv:11.*\).*)"
    ;;Microsoft Edge
    http.connect.User-Agent.regex="^Mozilla/\d+\.0 \(Windows (Phone|NT).*\) AppleWebKit.*Chrome.*Safari.*Edge/\d+.*"
    http.connect.User-Agent.regex="(^Opera[ /]\d+\..*)|(.*Opera[ /]\d+\.\d+( \[\w\w\])?$)"
    http.connect.User-Agent.regex="^Mozilla/[45]\.0 \((Windows|Macintosh|X11).*Version/\d+(\.\d+)* Safari/\d+(\.\d+)+$"
end condition KnownBrowsersIntercept

;;If User-Agent is not a known browser, do not SSL intercept
condition=!KnownBrowsersIntercept ssl.forward_proxy(no)