ProxySG & Advanced Secure Gateway

 View Only
  • 1.  Transparent proxy/Url Bypass

    Posted Jul 30, 2020 02:00 PM
    On ASG deployed in a transparent configuration, is there any way to bypass by URL? I can only find ways to bypass by IP and in today's hosted world many sites utilize dynamic IP ranges. This is cumbersome as it takes lists of IP's to bypass one URL and then the IP ranges/addresses can change.

    Thanks!


  • 2.  RE: Transparent proxy/Url Bypass
    Best Answer

    Broadcom Employee
    Posted Jul 30, 2020 04:48 PM
    Hi Howard,

    The two most common reasons I see people want to bypass the ASG is due to issues when SSL Inspecting, or with authenticating. Policy can be configured to bypass both of those services.

    As far as a full on bypass, like things added to the Static Bypass List, where the ASG just takes it in one interface and out the other - no. The ProxySG makes the decision on whether to bypass at the Level 3 OSI layer on whether or not to apply policy. URLs are HTTP and thus, Layer 7. The use case of the Static Bypass List is more for having internal servers bypassed. 

    If there are sites that you are having issues accessing, I would recommend using what some call the "magic script" to pinpoint what services are interfering with a URL working well, and then apply that policy to the URL.

    Thanks!


  • 3.  RE: Transparent proxy/Url Bypass

    Posted Aug 12, 2020 10:46 AM
    Thanks Jacob

    I used the script to look at which services are being denied/interfered with and disabled for all the features/conditions without success. It still wouldn't work. Only when completely bypassing by the client IP (static bypass list) was it able to work. This seems to be the case with all of our external Telehealth services and every virtual meeting service (GTM, Zoom, etc.). Has anyone else had issues with these types of services in a transparent environment? Bypassing by client IP is a poor way to manage this (no filtering or AV), and bypassing by destination IP is unmanageable as most of these types of services are in hosted environments with dynamic IP ranges.

    Any other ideas would be greatly appreciated.


  • 4.  RE: Transparent proxy/Url Bypass

    Broadcom Employee
    Posted Aug 13, 2020 12:31 PM
    Hello Howard, 

    To answer your first questions: There is no way to truly bypass a session by using a URL in a Transparent Proxy Deployment as the session has to be bypassed in the TCP stack for it to be bypassed, to do that IP has to be used.

    As per the issues with GTM, Zoom , the reasons those wont work without Disabling SSL Interception for their destination is due to the fact that those applications vendor do enforce Certificate Pinning for their application and that fails should there be a man in the middle like a proxy performing SSL Decryption.
    You can find known to us URLs or those virtual meetings here https://knowledge.broadcom.com/external/article?articleId=166772   , you need to add these URLs to a Disable SSL Interception and NO Authentication Policy.

    As per the TeleHealth we assume that this is some sort of an application running on the client PCs, if you have the Vendors whitepaper, or if you could verify with the vendor support of this app is there are any network requirement that must be meet in the order for this application to work if there is a Transparent Proxy upstream etc. If so , perhaps along those requirement there are some steps or wide range or IPs subnets etc that can be used for bypass,

    I hope this helps.
    Slava