ProxySG fails to allow connections to SSL ports other than port 443
Error: CONNECT to a port other than 443 (the default HTTPS port) is not permitted
The ProxySG is considered a security device. As a security device, by default the proxy does not allow SSL connections to non-SSL ports. However, there may be instances where a known good web server is using a non-standard SSL port for SSL traffic. Therefore the ProxySG can be configured to allow SSL connections to the non-standard SSL ports. There are several ways in which to do this. They are as follows:
1.) If the site that is hosting the web server using a non-standard SSL port, then you can bypass sending the proxy the request. If you are using a PAC file, then you can create an exclusion so the web browser goes direct instead of to the proxy. For further information, please see KB1395 for additional details on modifying PAC files. If you do not have a PAC file, then you may be able to manually enter an exception directly into the browser. Please refer to your browser documentation for further details.
2.) You can add the following CPL policy to the local policy file which allows a CONNECT request to be made to the host that uses a non-standard SSL port. For information on how to add CPL code to the local policy file, please see KB3495. Here is the sample policy:
; BEGIN - Allows the ProxySG to use the CONNECT method to a port other than port 443 <proxy> http.method=CONNECT url.host=nonstandard-ssl-host.example.com url.port=<non-standard-port-number> ALLOW ; In the above example, replace nonstandard-ssl-host.example.com with the appropriate host. ; In the above example, replace <non-standard-port-number> with an actual number, such as 4443 or whatever port you wish to override. ; END - Allows the ProxySG to use the CONNECT method to a port other than port 443
This can also be done using the Visual Policy Manager:
A.) Create a new Web Access Layer. A new layer ensures that the policy change will not overwrite any existing policy decisions.
; BEGIN - Allows the ProxySG to use the CONNECT method on ANY TCP port. Not recommended. <proxy> http.method=CONNECT ALLOW ; END - Allows the ProxySG to use the CONNECT method on ANY TCP port. Not recommended.
NOTE: because using the action "ALLOW" in policy rules grants SG the power to overrule its default security precaution of preventing access to site via non-standard SSL port, apply the rule with caution; e.g. policy rule with only "ALLOW" action and no condition would set SG to allow requests to connect to site through any destination ports.
Rate this Page
Please take a moment to complete this form to help us better serve you.