The ProxySG is considered a security device. As a security device, by default the ProxySG does not allow SSL connections to non-SSL ports. However, there may be instances where a known good web server is using a non-standard SSL port for SSL traffic. Therefore the ProxySG can be configured to allow SSL connections to the non-standard SSL ports. There are several ways in which to do this. They are as follows:
- If the site that is hosting the web server using a non-standard SSL port, then you can bypass sending the proxy the request. If you are using a PAC file, then you can create an exclusion so the web browser goes direct instead of to the proxy. For further information, please see 000011089 for additional details on modifying PAC files. If you do not have a PAC file, then you may be able to manually enter an exception directly into the browser. Please refer to your browser documentation for further details.
- You can add the following CPL policy to the local policy file which allows a CONNECT request to be made to the host that uses a non-standard SSL port. For information on how to add CPL code to the local policy file, please see 000010101. Here is the sample policy:
; BEGIN - Allows the ProxySG to use the CONNECT method to a port other than port 443
http.method=CONNECT url.host=nonstandard-ssl-host.example.com url.port=<non-standard-port-number> ALLOW
; In the above example, replace nonstandard-ssl-host.example.com with the appropriate host.
; In the above example, replace <non-standard-port-number> with an actual number, such as 4443 or whatever port you wish to override.
; END - Allows the ProxySG to use the CONNECT method to a port other than port 443
This can also be done using the Visual Policy Manager:
- Create a new Web Access Layer. A new layer ensures that the policy change will not overwrite any existing policy decisions.
- Set the destination to be the port for which you want to allow non-443 CONNECT requests. Make it a combined destination object if you want to add the site as in the CPL example above.
- In the Service column, choose Protocol Methods, select HTTP/HTTPS from the drop-down, and check the "CONNECT" option. Click OK.
- Set the action to Allow.
- Add CPL policy that allows CONNECT requests to any site on any port. NOTE: Blue Coat does not recommend allowing unrestricted CONNECT requests on any TCP port. The best way to work around the issue is to place an explicit exception as in solution #2 above. However, this solution is provided as is.
; BEGIN - Allows the ProxySG to use the CONNECT method on ANY TCP port. Not recommended.
; END - Allows the ProxySG to use the CONNECT method on ANY TCP port. Not recommended.
NOTE: because using the action "ALLOW" in policy rules grants the ProxySG the power to overrule its default security precaution of preventing access to site via non-standard SSL port, apply the rule with caution; e.g. policy rule with only "ALLOW" action and no condition would set ProxySG to allow requests to connect to site through any destination ports.