Solutions

ProxySG fails to allow connections to SSL ports other than port 443

Solutions ID:    KB3730
Version:    6.0
Status:    Published
Published date:    03/15/2010
Updated:    05/03/2011
 

Problem Description

Error:  CONNECT to a port other than 443 (the default HTTPS port) is not permitted
Error:  Your request attempted a CONNECT to a port <port_number> that is not permitted by default.
Error:  This is typically caused by an HTTPS URL that uses a port other than the default of 443.  Blue coat does not allow CONNECT methods to non-standard ports by default because it is considered a security risk to do so.
Exception:  CONNECT_METHOD_DENIED
How do I allow the ProxySG to connect to non-standard SSL ports?
I have an internal web server that uses a non-standard SSL port.  How can I get the ProxySG to allow connections to that web server?
My web browsers are configured in an explicit environement.

Resolution

The ProxySG is considered a security device.  As a security device, by default the proxy does not allow SSL connections to non-SSL ports.  However, there may be instances where a known good web server is using a non-standard SSL port for SSL traffic.  Therefore the ProxySG can be configured to allow SSL connections to the non-standard SSL ports.  There are several ways in which to do this.  They are as follows:

1.)  If the site that is hosting the web server using a non-standard SSL port, then you can bypass sending the proxy the request.  If you are using a PAC file, then you can create an exclusion so the web browser goes direct instead of to the proxy.  For further information, please see KB1395 for additional details on modifying PAC files.  If you do not have a PAC file, then you may be able to manually enter an exception directly into the browser.  Please refer to your browser documentation for further details.

2.)  You can add the following CPL policy to the local policy file which allows a CONNECT request to be made to the host that uses a non-standard SSL port.  For information on how to add CPL code to the local policy file, please see KB3495.  Here is the sample policy:

;  BEGIN - Allows the ProxySG to use the CONNECT method to a port other than port 443
<proxy>
http.method=CONNECT url.host=nonstandard-ssl-host.example.com url.port=<non-standard-port-number> ALLOW
;  In the above example, replace nonstandard-ssl-host.example.com with the appropriate host.
;  In the above example, replace <non-standard-port-number> with an actual number, such as 4443 or whatever port you wish to override.
;  END - Allows the ProxySG to use the CONNECT method to a port other than port 443

 

This can also be done using the Visual Policy Manager: 

A.)  Create a new Web Access Layer.  A new layer ensures that the policy change will not overwrite any existing policy decisions.
B.)  Set the destination to be the port for which you want to allow non-443 CONNECT requests.  Make it a combined destination object if you want to add the site as in the CPL example above.
C.)  In the Service column, choose Protocol Methods, select HTTP/HTTPS from the drop-down, and check the "CONNECT" option.  Click OK.
D.)  Set the action to Allow.

3.)  Add CPL policy that allows CONNECT requests to any site on any port.  NOTE:  Blue Coat does not recommend allowing unrestricted CONNECT requests on any TCP port.  The best way to work around the issue is to place an explicit exception as in solution #2 above.  However, this solution is provided as is. 

;  BEGIN - Allows the ProxySG to use the CONNECT method on ANY TCP port.  Not recommended.
<proxy>
http.method=CONNECT ALLOW
;  END - Allows the ProxySG to use the CONNECT method on ANY TCP port.  Not recommended.
 

 NOTE: because using the action "ALLOW" in policy rules grants SG the power to overrule its default security precaution of preventing access to site via non-standard SSL port, apply the rule with caution; e.g. policy rule with only "ALLOW" action and no condition would set SG to allow requests to connect to site through any destination ports.


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question