Sites are getting connect_method_denied on standard port 443
search cancel

Sites are getting connect_method_denied on standard port 443

book

Article ID: 225788

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG ISG Proxy ProxySG Software - SGOS

Issue/Introduction

You are seeing a connect_method_denied verdict in the WSS reports for connections to tcp://ip-or-domain on port 443.You are not sure why the error is being triggered as it is connecting on a standard port.

 

Environment

Cloud SWG (Web Security Service)

Cause

In the PCAP taken we can see that after the HTTP 200 connection established, you immediately see a FIN from the client.

Cloud SWG received the initial CONNECT request and passed back a 200 OK. The next packet should be a Client-Hello from client side to initiate the SSL handshake. If for any reason, if this packet is not reaching us, this will be considered as a tunneling attempt of a non-SSL protocol and will hit the "Connect_Method_Denied" exception.

Cloud SWG Proxy: 192.168.1.83 / Client: 10.230.0.5 

 

Resolution

The proxy is operating normally. From looking at few customer account we generally see this traffic is generated by browser user agent and normally causes virtually no impact as it's either temporary or application does successfully establish SSL on next connections. 

To prove that this is not caused by the client-side applications, we would need to see PCAPs from the gateway showing that Client Hello is being sent.

Additional Information

This exception can occur for other reasons as well which are provided in the article below.

Verdict connect_method_denied in Web Security Service report

Denied access to the requested port with Web Security Service