Hello Howard,
To answer your first questions: There is no way to truly bypass a session by using a URL in a Transparent Proxy Deployment as the session has to be bypassed in the TCP stack for it to be bypassed, to do that IP has to be used.
As per the issues with GTM, Zoom , the reasons those wont work without Disabling SSL Interception for their destination is due to the fact that those applications vendor do enforce Certificate Pinning for their application and that fails should there be a man in the middle like a proxy performing SSL Decryption.
You can find known to us URLs or those virtual meetings here
https://knowledge.broadcom.com/external/article?articleId=166772 , you need to add these URLs to a Disable SSL Interception and NO Authentication Policy.
As per the TeleHealth we assume that this is some sort of an application running on the client PCs, if you have the Vendors whitepaper, or if you could verify with the vendor support of this app is there are any network requirement that must be meet in the order for this application to work if there is a Transparent Proxy upstream etc. If so , perhaps along those requirement there are some steps or wide range or IPs subnets etc that can be used for bypass,
I hope this helps.
Slava
Original Message:
Sent: 08-12-2020 10:46 AM
From: HOward gOLLERT
Subject: Transparent proxy/Url Bypass
Thanks Jacob
I used the script to look at which services are being denied/interfered with and disabled for all the features/conditions without success. It still wouldn't work. Only when completely bypassing by the client IP (static bypass list) was it able to work. This seems to be the case with all of our external Telehealth services and every virtual meeting service (GTM, Zoom, etc.). Has anyone else had issues with these types of services in a transparent environment? Bypassing by client IP is a poor way to manage this (no filtering or AV), and bypassing by destination IP is unmanageable as most of these types of services are in hosted environments with dynamic IP ranges.
Any other ideas would be greatly appreciated.
Original Message:
Sent: 07-30-2020 04:48 PM
From: Jacob M
Subject: Transparent proxy/Url Bypass
Hi Howard,
The two most common reasons I see people want to bypass the ASG is due to issues when SSL Inspecting, or with authenticating. Policy can be configured to bypass both of those services.
As far as a full on bypass, like things added to the Static Bypass List, where the ASG just takes it in one interface and out the other - no. The ProxySG makes the decision on whether to bypass at the Level 3 OSI layer on whether or not to apply policy. URLs are HTTP and thus, Layer 7. The use case of the Static Bypass List is more for having internal servers bypassed.
If there are sites that you are having issues accessing, I would recommend using what some call the "magic script" to pinpoint what services are interfering with a URL working well, and then apply that policy to the URL.
Thanks!
Original Message:
Sent: 07-27-2020 04:30 PM
From: HOward gOLLERT
Subject: Transparent proxy/Url Bypass
On ASG deployed in a transparent configuration, is there any way to bypass by URL? I can only find ways to bypass by IP and in today's hosted world many sites utilize dynamic IP ranges. This is cumbersome as it takes lists of IP's to bypass one URL and then the IP ranges/addresses can change.
Thanks!