Regenerating a software license for ProxySG 300-5 and 9000-5/10/20 units adds an SSL-Proxy license; in some cases, this can cause SSL traffic to be blocked

Technical Alert

Affected Products

SG300-5
SG9000-5
SG9000-10
SG9000-20

SG9000-30/40, SG300-10/35, SG600 and SG900 units all have the SSL Proxy functionality present by default. This change does not impact SG210, SG510, SG810 or SG8100 units.

Overview

When regenerating a software license for the above-mentioned hardware (common when adding or removing a feature from a licensed product), an SSL Proxy license will be added. The addition of an SSL Proxy license can cause traffic directed to SSL sites to be blocked in the following use cases:

1. If all of the following are true:

  •    A TCP-Tunnel or HTTP service is configured and set to "Intercept"
  •    Protocol Detection has been enabled on that service (it is disabled by default)
  •    SSL traffic is sent through that service

2. If at any time in the past an SSL-Intercept policy was created, but not disabled because there was no valid SSL Proxy license.

3. If a SOCKS proxy or "Default" service is configured to intercept, and protocol detection has been enabled (again, this is disabled by default).

In these cases, blockage occurs when SSL traffic goes to a server that uses an SSL certificate that is not trusted by the ProxySG appliance. When this happens, the client will not be given an option to accept the untrusted certificate and the client will be delivered an exception page (denial).

To prevent these blockages, you can do one of two things:

A) Add a policy to disable SSL interception
In the Visual Policy Manager, create a NEW "Web Access Layer" (do NOT reuse an existing one for this).
Change the action on the rule to "Disable SSL Detection" instead of the "deny" present in that rule by default.
This layer should be placed last to ensure the rule is applied. To change its location, click the Edit menu, then "Reorder layers..." option.
o If you are using a combination of policies using the Visual Policy Manager and another policy file such as Local or Central, please open a support ticket for assistance in getting this policy installed in those files.

B) Disable protocol detection on all service ports where SSL traffic may inadvertently go.

NOTE: Regenerating the license (and therefore adding the SSL Proxy license) is a permanent change. You cannot revert the license to remove the SSL Proxy functionality.

Status

Previously, the SSL Proxy license was offered as an option that was purchased separately. Complimentary SSL Proxy licenses are now offered to provide more functionality on the latest generation hardware at no additional cost. Complimentary licenses are not available on older-generation hardware.

Resolution

This is an intentional change, and thus there is no "resolution" for this.

Workaround

Do not regenerate the license if you wish to retain the old functionality.

Bug Number
InQuira Doc IdTFA65
Attachment

Article Feedback

Did this Article solve your issue?
Additional Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat