Solutions

Individual URL bypass for HTTPS website in blocked content-filter category, transparent deployment with SSL interception

Solutions ID:    KB4725
Version:    2.0
Status:    Published
Published date:    10/27/2011
Updated:    10/27/2011
 

Problem Description

You need to allow access to a specific HTTPS website, which belongs to a URL category that's blocked using content-filtering in your policy, and your ProxySG is deployed in inline transparent mode with SSL interception enabled.

Resolution

Step 1: Configure the HTTPS proxy-service as depicted below:


 

The main point to note here is that detect protocol is enabled, which is not the default for a TCP Tunnel service.

 

Step 2. Add a rule in Web-Access layer for the website to be bypassed:

 

 

The main points to note here are that the combined-source object for the website must include both its hostname and its IP address, as resolved from the client network which would be attempting to browse the website. In the depicted example, https://www.mozilla.org resolved to 63.245.209.11 on the test network.
The Action is a 'Disable SSL Detection' object, matching All Tunneled Traffic.

 

Step 3. Add an SSL Interception layer:



Here, SSL Interception has been enabled for all traffic.

 

Step 4. Blocking the URL category in an SSL Access Layer





 

Here, a server certificate category object has been added, for the content-filter category which the bypassed website belongs to (but which will otherwise be blocked).
Note also that the blocking action for the URL category must be Force Deny.

 

 

 

 

 

Notes:
The above only deals with the specific use-case scenario where HTTPS variants of a URL category are to be blocked in policy, and some individual HTTPS URLs need to be exempted. If HTTP variants of the same content-filter category also need to be blocked, and HTTP variants of the same indidual URLs also need to be exempted, relevant policy layers and rules would need to be added to take this into account. Please refer to KB1901 for more details.


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question