SSL interception failure with ProxySG or Advanced Secure Gateway

book

Article ID: 168492

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Unable to reach a secure site (page not displayed) through the ProxySG or ASG. Protocol Detection is enabled.

Detect Protocol (or Protocol Detection) is enabled by default on ProxySG and Advanced Secure Gateway (ASG). This feature monitors the characteristics of a connection to determine what mechanism it should use to handle it.

 

 

Cause

There are many reasons why SSL Interception can fail which include, but are not limited to, the following:

  • Incompatibilities related to supported cipher suites between clients, proxy appliances and the OCS destinations.
  • Incompatibilities related to supported cipher ECs (Elliptic Curves) between clients, proxy appliances and the OCS destinations.
  • Non-standard traffic (per RFC guidelines)
  • Incorrectly configured, weak or expired certificates
  • Unreachable hosts / destinations

 

Resolution

A workaround is to disable Protocol Detection for a single site or single domain.

Add the following syntax to the proxy Local Policy or via a "CPL Layer" in the proxy Visual Policy Manager (VPM):

<proxy> 
  url.domain=example.com detect_protocol(none) 

For a list of sites with Protocol Detection that needs to be disabled the following Policy is provided as an example.

 

;############## Disable Protocol Detection ##############
; This script disables protocol detection.

; Detect Protocol (or Protocol Detection) is a ProxySG feature that looks 
; into characteristics of a connection to determine what mechanism it should 
; use to handle it. On occasion this needs to be disabled on exception 
; (per site basis).
; For example, if an SSL connection comes into the ProxySG on port 80 
; (typically used for HTTP instead of SSL), and if Protocol Detection is enabled, 
; the ProxySG will see that it is actually SSL traffic and handle it as such. 
; If Protocol Detection is disabled (it is disabled by default) the connection 
; will be tunneled as it is not valid HTTP traffic. Protocol Detection can also 
; be used to identify peer-to-peer traffic and many other types of traffic which 
; may attempt to use non-standard ports.

; For more information refer to:
; - Tech243402 (https://support.symantec.com/en_US/article.TECH243402.html)
; - Tech243102 (What is Detect Protocol and what does it do?)

; Condition Note(s):
; - To disable by URL, use the syntax ---> url.domain=example.com
; - To disable by Destination IP, use the syntax ---> url.address=10.10.10.10
; - To disable by User Agent, use the syntax ---> User-Agent="application-specific-agent-name"

;---------------------------------------------------------------------
<proxy>
condition=PDExceptionList detect_protocol(none) 

define condition PDExceptionList
url.domain=example1.com 
url.domain=example2.com
end condition PDExceptionList

;############ END Disable Protocol Detection ############

Examples of the various 'detect_protocol' CPL code

detect_protocol(none) - Why doesn't a detect_protocol(no) rule work for some sites or applications when applied in the VPM?
detect_protocol(no) - What is the CPL to disable detect_protocol for a specific target website only for iPhone / iPad devices?
detect_protocol.ssl(no) - Not able to use detect_protocol.ssl(no) to bypass SSL Interception
detect_protocol[ssl,https](no) - Intermittent issue with Consumer Skype access when connecting transparently with SSL interception enabled.
detect_protocol[ssl,https,sips](no) - HTTPS requests may fail or be delayed for 30 seconds when using ProxySG
detect_protocol[ssl,https,sips,sip](no) - Intermittent issue with Consumer Skype access when connecting transparently with SSL interception enabled.

In VPM follow: Detect Protocol needs to be disabled in ProxySG or Advanced Secure Gateway or Web Security Service in UPE Mode

Attachments

Disable Protocol Detection on Exception.txt get_app