Individual URL bypass for HTTPS website in blocked content-filter category, transparent deployment with SSL interception

<< Back to Knowledge Search



You need to allow access to a specific HTTPS website, which belongs to a URL category that's blocked using content-filtering in your policy, and your ProxySG is deployed in inline transparent mode with SSL interception enabled.


Step 1: Configure the HTTPS proxy-service as depicted below:



The main point to note here is that detect protocol is enabled, which is not the default for a TCP Tunnel service.


Step 2. Add a rule in Web-Access layer for the website to be bypassed:





The main points to note here are that the combined-source object for the website must include both its hostname and its IP address, as resolved from the client network which would be attempting to browse the website. In the depicted example, resolved to on the test network.
The Action is a 'Disable SSL Detection' object, matching All Tunneled Traffic.


Step 3. Add an SSL Interception layer:


Here, SSL Interception has been enabled for all traffic.


Step 4. Blocking the URL category in an SSL Access Layer


Here, a server certificate category object has been added, for the content-filter category which the bypassed website belongs to (but which will otherwise be blocked).
Note also that the blocking action for the URL category must be Force Deny.






The above only deals with the specific use-case scenario where HTTPS variants of a URL category are to be blocked in policy, and some individual HTTPS URLs need to be exempted. If HTTP variants of the same content-filter category also need to be blocked, and HTTP variants of the same indidual URLs also need to be exempted, relevant policy layers and rules would need to be added to take this into account. Please refer to 000012492 for more details.

Additional Information
Performing SSL interception on a ProxySG which is deployed in inline transparent mode imposes some limitations on the ability to selectively disable or enable the functionality using policy. As a result, it can be helpful to configure the HTTPS/SSL proxy-service listener somewhat differently from what might otherwise be the case, to maximize the flexibility of options available for doing this.
Bug Number
InQuira Doc IdKB4725

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/19/2016
Last Published      10/19/2016
Article Audience
Product      ProxySG
Software      SGOS 4.3, SGOS 5.4, SGOS 5.5, SGOS 6
Article Number      000011796
Summary      Individual URL bypass for HTTPS website in blocked content-filter category, transparent deployment with SSL interception
Was this helpful?
Previous MonthNext Month