[ALERT] Changes to the unsupported-sites list in SSLV 4.3.1.1

book

Article ID: 185091

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

Severity

Warning

Description

In SSLV 4.x versions prior to v4.3.1.1, the unsupported-sites list contains domains of sites known to have issues with SSL Visibility inspection rules, and a cut-through rule was recommended for this list so that SSL Visibility would not try to inspect them. The list contained Symantec-based sites as well as other known sites that had issues.
 
Starting with v4.3.1.1, the unsupported-sites list included in the release will contain the Symantec-based sites only. Domain names that do not reference the Symantec family of domains have been removed from the unsupported-sites list.  The domains removed are the following:
 
*.citrixonline.com
*.data.toolbar.yahoo.com
*.dropbox.com
*.fedoraproject.org
*.infra.lync.com
*.itunes.apple.com
*.logmein.com
*.mozilla.org
*.phonefactor.com
*.rhn.redhat.com
*.sls.microsoft.com
*.update.microsoft.com
*.windowsupdate.microsoft.com
account.live.com
courier.push.apple.com
courier.sandbox.push.apple.com
cyclops.iastate.edu
 
With this change, customers will need to create a custom domain name list of non-Symantec unsupported sites and create a cut-through rule for this list. Refer to the list above for sites that may need to be included in your list. The sites you choose to include are based on your company’s security posture, environment, supported client applications, and other factors contributing to the security policy, including the decision to cut through sites uninspected. 
 
Note that the unsupported-sites list of Symantec domains will be maintained by Symantec and will automatically be updated in future releases when necessary. This list is not editable by the user, but is viewable in the WebUI. Customers are responsible for maintaining their own custom domain list of unsupported sites, using KB INFO5078 as a reference.

Resolution

Action Required

Note: To avoid any site availability issues, Symantec recommends this policy change be made prior to upgrading to SSLV 4.3.1.1 or higher versions.
 
Before upgrading to v4.3.1.1, do the following:

  1. Option 1: Clone the current unsupported-sites list and delete the Symantec-related sites.
    1. Select Policies > Domain Name Lists.
    2. In the Domain Names Lists panel, click the Clone tool.
    3. Type a list name, such as custom-unsupported-sites and click OK.
    4. Make sure the cloned list is selected in the Domain Names Lists panel.
    5. In the Domain Names panel, select each Blue Coat and Symantec domain and click the Delete tool. Click Yes to confirm.
    6. Apply the changes.
  2. Option 2: Create a custom domain name list of sites you want to cut through. Refer to the list above for sites to consider including, or refer to KB INFO5078 which contains an updated list of domains.
    1. a. Select Policies > Domain Name Lists.
    2. b. In the Domain Names Lists panel, click the Add tool.
    3. c. Type a list name, such as custom-unsupported-sites and click OK.
    4. d. Make sure the new list is selected.
    5. e. In the Domain Names panel, click the Add tool, enter the domain, and click OK.
    6. f. Repeat step e for each domain.
    7. g. Apply the changes.
  3. Create a cut-through rule for the custom-unsupported-sites domain name list. (You should already have a cut-through rule for the unsupported-sites list.)
  4. Back up your policy.

You can now upgrade to v4.3.1.1. After upgrading, go to the WebUI, look at the unsupported-sites list and confirm that it now contains only the Symantec-related domains.

Impact if remediation steps are not taken

Following an upgrade to 4.3.1.1 (or higher), if a customer has a rule configured with a cut through action using the built-in unsupported-sites list, connections to any domains that were removed from the list will no longer be cut through. This change may result in connections to those domains failing. If the customer has any rule that uses the unsupported-sites list, the action of that rule will not be taken for any domains removed from the list.