Market traders for a financial organisation can access trading web site but fail to authenticate successfully.

Authentication is done through smart cards attached to their hosts, which include x509 certificates.

Given that the site is categorised as financial, the Cloud SWG access logs do not give details regarding failing requests as the site is not SSL intercepted.

No clear error message is given on the application other than the authentication appears to fail.

Cloud SWG.

Mutual x509 authentication to Web server.

With mutual x509 authentication, no SSL termination can occur on intermediate devices - the authentication must take place between the client and server hosts.

Disable protocol detection for the authentication server/domain. This must be done in different ways depending on how Cloud SWG is managed:

• Portal managed tenants
• UPE managed tenants

x509 authentication is end to end authentication, where the server authenticates itself to the client and requests that the client authenticate itself to the server.

When a proxy terminates SSL communication (without necessarily intercepting it), the proxy server authenticates itself to the client and not the Web server; If a certificate is requested by the proxy, it is the proxy that needs to validate it and not the back end web server.

By disabling protocol detection, the proxy is turned into a generic TCP proxy and does not terminate SSL - so whatever is sent to the client from the server will get to the server untouched, and vice versa.