ProxySG & Advanced Secure Gateway

Dear all,

I have a problem with Website running on custom ports - Explicit topology. How can I permit this website throgh proxy?
I can only define port 80 443, but custom ports cannot run.

Thank you.

Hello Duc, 

In Explicit Proxy Topology all of the browsers are configure to connect to the proxy explicitly "usually" via port 8080 , so the browsers makes a connected to the proxy via the port 8080 and then the request to the web site regardless of the port of the web site go trough the explicit connection, and proxy does honor the destination port of the HTTP or the HTTPS request, so if you type in you browser example.com:1234  , then proxy will honor this connection and will attempt to connect to the external web site example.com over the port 1234, there should not be any issues.

However there is one thing that comes to mind is that the proxy security default settings may be blocking HTTPS request if they using non-standard HTTPS port 443, to make an exception you will need a CPL policy in place, see the example bellow.

<proxy>
http.method=CONNECT url.host=example.com url.port=1234 ALLOW
 

Allow non standard port in Explicit over HTTPS
The above recommendation is made assuming that the proxy is deployed in the Forwarding Mode Explicit.

I hove this helps.
Slava
Original Message:
Sent: 12-02-2020 10:53 PM
From: Duc Dinh Minh
Subject: Website running on custom ports - Explicit topology

Dear all,

I have a problem with Website running on custom ports - Explicit topology. How can I permit this website throgh proxy?
I can only define port 80 443, but custom ports cannot run.

Thank you.

Hi All,

To add to Slava's great explanation, I use the following rule of thumb:

1). If protocol detection is enabled and the default policy action is allow, then https access on any destination port will be allowed.
2). If protocol detection is disabled and the default policy action is allow, then https access on any destination port will be denied apart from 443

The above assumes that there is no global allow rule in the policy in which case it would be allowed either way, and that that any upstream firewall allows access to the required ports.

Regards
Paul
Original Message:
Sent: 12-03-2020 01:16 PM
From: Slava Vasilasco
Subject: Website running on custom ports - Explicit topology

Hello Duc,

In Explicit Proxy Topology all of the browsers are configure to connect to the proxy explicitly "usually" via port 8080 , so the browsers makes a connected to the proxy via the port 8080 and then the request to the web site regardless of the port of the web site go trough the explicit connection, and proxy does honor the destination port of the HTTP or the HTTPS request, so if you type in you browser example.com:1234  , then proxy will honor this connection and will attempt to connect to the external web site example.com over the port 1234, there should not be any issues.

However there is one thing that comes to mind is that the proxy security default settings may be blocking HTTPS request if they using non-standard HTTPS port 443, to make an exception you will need a CPL policy in place, see the example bellow.

<proxy>
http.method=CONNECT url.host=example.com url.port=1234 ALLOW


Allow non standard port in Explicit over HTTPS
The above recommendation is made assuming that the proxy is deployed in the Forwarding Mode Explicit.

I hove this helps.
Slava
Original Message:
Sent: 12-02-2020 10:53 PM
From: Duc Dinh Minh
Subject: Website running on custom ports - Explicit topology

Dear all,

I have a problem with Website running on custom ports - Explicit topology. How can I permit this website throgh proxy?
I can only define port 80 443, but custom ports cannot run.

Thank you.