In an explicit proxy environment, (eg, where client browsers have settings referring to your ProxySG) web access layer rules based on categories will match and allow/deny requests for HTTP and HTTPS URLs because the client includes the requested hostname in the CONNECT request to the proxy. In a transparent proxy deployment, however, the traffic is encrypted. Assuming that the ProxySG has an SSL license, and the HTTPS:443 service is set to use the SSL proxy service, the proxy can see both the destination IP address of the server being requested, as well as the certificate it presents to the client. We can leverage policy to act on the certificate details to perform basic category-based denials.
Steps to configure policy to deny HTTPS requests to specific categories are as follows:
*repeat this process using a 'server certificate' object, and define the subject as the domain name you're looking to deny, if not using a category.