ProxySG & Advanced Secure Gateway

Hello all,

I would like to ask for some suggestions regarding a issue I am running into lately.
My ProxySG Deployment mode is Explicit mode and I`ve pushed to proxy settings to endpoints via Microsoft AD GPO (manual config).
The enterprise I have deployed the ProxySG for has got a lot of third-party VPN Connections to other enterprises.
In this case there is a Fortigate Remote Access VPN Connectivity configured in SSL-VPN where some of the users access resources on other organizations.
The issue is that for example x.com is only resolved via the DNS Server seen through the tunnel. Upon running some tests I am getting the  Unable to resolve server IP address with DNS on the ProxySG Errored Sessions.
So how do I actually instruct ProxySG to stop looking at tunneled traffic for example of FortiGate or Cisco so that the tunnel destined traffic would not be intercepted by ProxySG?

Thank You in advance,

Senior Network and Security Systems Engineer,
Rigels Sino

Hello Rigels, 

In case the issue is still present.
You dont really make the proxy to stop looking at tunnel, you just dont sent that traffic to the proxy at all by adding those destinations URLs or IPs , IP Subnets in to the Exception section of the Do not Use Proxy on the users browser, you can push that via the GPO as well to all users browser.


Original Message:
Sent: 05-15-2020 07:35 AM
From: Rigels Sino
Subject: Explicit Deployment intercepts VPN Traffic

Hello all,

I would like to ask for some suggestions regarding a issue I am running into lately.
My ProxySG Deployment mode is Explicit mode and I`ve pushed to proxy settings to endpoints via Microsoft AD GPO (manual config).
The enterprise I have deployed the ProxySG for has got a lot of third-party VPN Connections to other enterprises.
In this case there is a Fortigate Remote Access VPN Connectivity configured in SSL-VPN where some of the users access resources on other organizations.
The issue is that for example x.com is only resolved via the DNS Server seen through the tunnel. Upon running some tests I am getting the  Unable to resolve server IP address with DNS on the ProxySG Errored Sessions.
So how do I actually instruct ProxySG to stop looking at tunneled traffic for example of FortiGate or Cisco so that the tunnel destined traffic would not be intercepted by ProxySG?

Thank You in advance,

Senior Network and Security Systems Engineer,
Rigels Sino

Hey Slava,

Thanks for bringing this up again, this is exatly how I have fixed it as the implementation on that one client was in Explicit Mode. Local bypassing the URL-s and IP Addresses fixed the issue.

Thanks again :)
We`ll keep in touch.
BR,
Rigels Sino
Original Message:
Sent: 08-27-2020 02:37 PM
From: Slava Vasilasco
Subject: Explicit Deployment intercepts VPN Traffic

Hello Rigels, 

In case the issue is still present.
You dont really make the proxy to stop looking at tunnel, you just dont sent that traffic to the proxy at all by adding those destinations URLs or IPs , IP Subnets in to the Exception section of the Do not Use Proxy on the users browser, you can push that via the GPO as well to all users browser.

This will result in the DNS lookup being done on the client PC and traffic will be routed properly trough the VPN tunnel and not to the proxy.

I hope helps.
Slava

Original Message:
Sent: 05-15-2020 07:35 AM
From: Rigels Sino
Subject: Explicit Deployment intercepts VPN Traffic

Hello all,

I would like to ask for some suggestions regarding a issue I am running into lately.
My ProxySG Deployment mode is Explicit mode and I`ve pushed to proxy settings to endpoints via Microsoft AD GPO (manual config).
The enterprise I have deployed the ProxySG for has got a lot of third-party VPN Connections to other enterprises.
In this case there is a Fortigate Remote Access VPN Connectivity configured in SSL-VPN where some of the users access resources on other organizations.
The issue is that for example x.com is only resolved via the DNS Server seen through the tunnel. Upon running some tests I am getting the  Unable to resolve server IP address with DNS on the ProxySG Errored Sessions.
So how do I actually instruct ProxySG to stop looking at tunneled traffic for example of FortiGate or Cisco so that the tunnel destined traffic would not be intercepted by ProxySG?

Thank You in advance,

Senior Network and Security Systems Engineer,
Rigels Sino