Technical Alerts

Regenerating a software license for ProxySG 300-5 and 9000-5/10/20 units adds an SSL-Proxy license; in some cases, this can cause SSL traffic to be blocked

Technical Alerts ID:    TFA65
Version:    1.0
Status:    Published
Published date:    05/24/2011
 

Affected products and versions

SG300-5
SG9000-5
SG9000-10
SG9000-20

SG9000-30/40, SG300-10/35, SG600 and SG900 units all have the SSL Proxy functionality present by default. This change does not impact SG210, SG510, SG810 or SG8100 units.

Problem description

When regenerating a software license for the above-mentioned hardware (common when adding or removing a feature from a licensed product), an SSL Proxy license will be added. The addition of an SSL Proxy license can cause traffic directed to SSL sites to be blocked in the following use cases:

1. If all of the following are true:

  •    A TCP-Tunnel or HTTP service is configured and set to "Intercept"
  •    Protocol Detection has been enabled on that service (it is disabled by default)
  •    SSL traffic is sent through that service

2. If at any time in the past an SSL-Intercept policy was created, but not disabled because there was no valid SSL Proxy license.

3. If a SOCKS proxy or "Default" service is configured to intercept, and protocol detection has been enabled (again, this is disabled by default).

In these cases, blockage occurs when SSL traffic goes to a server that uses an SSL certificate that is not trusted by the ProxySG appliance. When this happens, the client will not be given an option to accept the untrusted certificate and the client will be delivered an exception page (denial).

To prevent these blockages, you can do one of two things:

A) Add a policy to disable SSL interception
In the Visual Policy Manager, create a NEW "Web Access Layer" (do NOT reuse an existing one for this).
Change the action on the rule to "Disable SSL Detection" instead of the "deny" present in that rule by default.
This layer should be placed last to ensure the rule is applied. To change its location, click the Edit menu, then "Reorder layers..." option.
o If you are using a combination of policies using the Visual Policy Manager and another policy file such as Local or Central, please open a support ticket for assistance in getting this policy installed in those files.

B) Disable protocol detection on all service ports where SSL traffic may inadvertently go.

NOTE: Regenerating the license (and therefore adding the SSL Proxy license) is a permanent change. You cannot revert the license to remove the SSL Proxy functionality.

Status

Previously, the SSL Proxy license was offered as an option that was purchased separately. Complimentary SSL Proxy licenses are now offered to provide more functionality on the latest generation hardware at no additional cost. Complimentary licenses are not available on older-generation hardware.

Workaround

Do not regenerate the license if you wish to retain the old functionality.

Resolution

This is an intentional change, and thus there is no "resolution" for this.


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question