ProxySG & Advanced Secure Gateway

Expand all | Collapse all

TCP proxy with Detect protcol and SSL interception enabled: URL filtering behavior?

  • 1.  TCP proxy with Detect protcol and SSL interception enabled: URL filtering behavior?

    Posted 02-13-2020 10:18 AM

    Hi,

    according to Symantec KB, a "TCP Tunnel" service with Detect protocol enabled should be equivalent to "SSL Proxy" service when encountering SSL traffic:

    https://support.symantec.com/us/en/article.tech245661.html

    Yet the behavior is confusing in the following scenario:

    - SSL intercept on exception is enabled (the default)

    - TCP Tunnel on port 443 with Detect protocol enabled

    - Category "Technology/Internet" is set to Deny in web access policy (this is just an example)

    - web site https://veracompadria.com is categorized as "Technology/Internet" and its IP adress has the same category, too.

     

    When accessing the web site, the proxy manages to perform intercept on exception and return HTTP response 403 (denied) to the client, which is expected.

    However, the exception template returned is not the HTML data for HTTP traffic but rather the exception text used for all protocols: "$(exception.id): $(exception.details)". This is a very basic message omitting any HTML code we usually return to the user. So, the proxy performs full interception and is able to return HTTP(S) response to the client, but it incorrectly uses the exception template for all protocols (without the html).

    Furthermore, if the site above were not categorized as "Technology/Internet" for its *IP address* (but was categorized on url level), the proxy would have returned the full HTTP exception with HTML i.e. "$(exception.format)"

    This is completely unexpected behavior. What should be done to get expected HTML exception for https traffic in such cases? I know that reverting to SSL Proxy instead of TCP tunnel would "solve" the problem, but that's not possible for this customer due to other apps not tolerating "SSL proxy" service only.

    any insights appreciated.

    Above is the expected exception with HTML, below is the unexpected exception.



  • 2.  RE: TCP proxy with Detect protcol and SSL interception enabled: URL filtering behavior?

    Posted 02-13-2020 10:21 PM
    Hi Antonio, Try to allow tunneled traffic for denied categories and block all other traffic for them. Simple code on CPL (only for example): url.category=“Technology/Internet” tunneled=yes allow ; 1st rule url.category=“Technology/Internet” your_correct_exception ; 2nd rule This is because with transparent proxy (tcp tunnel with detect protocol) 1st transaction is “tunnel tcp://ip_addr:443”, the “unknown ssl://...” (PD works), and only the last - “https://site_name”, and when Deny (or exception) triggers for “tunnel tcp://...” -we see this behavior (and this is explain why you see correct exception, if categories for URL and IP are different). I agree with you this is unexpected behavior, and all above - is workaround only, in my mind BR, Pavel