Notify-user rule configuration in Policy VPM on ProxySG/EdgeSWG for presenting a notification to user before allowing access to requested URL

search cancel

Notify-user rule configuration in Policy VPM on ProxySG/EdgeSWG for presenting a notification to user before allowing access to requested URL

book

Article ID: 264847

calendar_today

Updated On:

Products

ASG-S400 ISG Proxy ProxySG Software - SGOS Advanced Secure Gateway Software - ASG

Issue/Introduction

Client wants to set up a notification screen for anyone who is connecting via Proxy to display customized message

Environment

Proxy SGOS 7.3.13.2
EXPLICIT PROXY

Resolution

CONFIGURATION STEPS:

01. Make sure what is the default setting for the Proxy Policy filtering being set in Proxy > Configuration > Policy

For a example, the default action is set as DENY for all requests that are not included in Policy/

PLEASE NOTE: In the case default policy set to DENY. If the transaction hit DENY with any Web Access Rule, notification page won't be displayed, it shows the policy deny page, notification will appear only for allowed one.

02. Please create a new Web Access Layer called NOTIFY and make it the highest among Web Access Layers in VPM hierarchy (the request needs to hit notification rule first)

Create a rule at the top of existing rules:

Source: <source-ip>
Destination: <any> or <defined>
Service: <any> or <defined>
Action: Notify User Object (The notice can be modified with html code)

You can customize the page displayed and the default behavior for ex. if the notification should appear once per session etc.

All the rules that allows to access specific websites needs to go underneath the notification rule in next Web Access Layer:

03. Make sure that the source IPs to whom you want to display the notification to has been SSL-intercepted. Please follow this article on configuring ssl-interception in an explicit proxy using a self-signed certificate. This article covers configuring ssl-interception with Microsoft PKI for explicit proxy.

Install the Policy

04. Once you set SSL-interception make sure that the detection protocol is set. Please go to:

Proxy > Configuration > Proxy Services > Explicit HTTP > enable Detect Protocol (this setting is enabled by default)
Proxy > Configuration > Proxy Services > HTTPS > enable Detect Protocol (this setting is enabled by default)

Apply

05. Test the notification page set in browser for allowed URL:

https://<domain>

Once you accept, this notification won't be shown again during that session (it will be kept in Proxy cache). This behavior may differ and it is set in the Notification rule created earlier.

If the URL is listed in Policy to be denied or denied by default you'll get a denied page instead of notification webpage:

Additional Information

KNOWLEDGE ARTICLES:

TECHDOCS PROXYSG 7.3 Notify User - https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3/visual-policy-manager/action-column-objects/notify-user.html
Configure SSL intercept for an explicit deployment using a self-signed certificate https://knowledge.broadcom.com/external/article/168173/configure-ssl-intercept-for-an-explicit.html#6
Configure SSL interception with Microsoft PKI for Explicit proxy https://knowledge.broadcom.com/external/article/168284/configure-ssl-interception-with-microsof.html

Feedback

thumb_up Yes

thumb_down No