When regenerating a software license for the above-mentioned hardware (common when adding or removing a feature from a licensed product), an SSL Proxy license will be added. The addition of an SSL Proxy license can cause traffic directed to SSL sites to be blocked in the following use cases:
1. If all of the following are true:
- A TCP-Tunnel or HTTP service is configured and set to "Intercept"
- Protocol Detection has been enabled on that service (it is disabled by default)
- SSL traffic is sent through that service
2. If at any time in the past an SSL-Intercept policy was created, but not disabled because there was no valid SSL Proxy license.
3. If a SOCKS proxy or "Default" service is configured to intercept, and protocol detection has been enabled (again, this is disabled by default).
In these cases, blockage occurs when SSL traffic goes to a server that uses an SSL certificate that is not trusted by the ProxySG appliance. When this happens, the client will not be given an option to accept the untrusted certificate and the client will be delivered an exception page (denial).
To prevent these blockages, you can do one of two things:
A) Add a policy to disable SSL interception
• In the Visual Policy Manager, create a NEW "Web Access Layer" (do NOT reuse an existing one for this).
• Change the action on the rule to "Disable SSL Detection" instead of the "deny" present in that rule by default.
• This layer should be placed last to ensure the rule is applied. To change its location, click the Edit menu, then "Reorder layers..." option.
o If you are using a combination of policies using the Visual Policy Manager and another policy file such as Local or Central, please open a support ticket for assistance in getting this policy installed in those files.
B) Disable protocol detection on all service ports where SSL traffic may inadvertently go.
NOTE: Regenerating the license (and therefore adding the SSL Proxy license) is a permanent change. You cannot revert the license to remove the SSL Proxy functionality.