ProxySG & Advanced Secure Gateway

Hi Team,

We have transparent mode setup. Client enable TCP tunnel services in the protocol.

We have configured block rule to block social media and porn categories.

But user can access those blocked category url's. whicl we are checking in the policy trace it shows in the IP addresses instead of the url

tunnel: get :/63.53.67.12

Even those rule is not matching in the policy execution.

Please advise on this.

Thanks,

Ram.

Hi Ram,

                In transparent setup, the requests from client are towards the server directly and all we can see is the traffic over the IP address. If this is not for an SSL Intercepted connected, all proxy can see is the IP address. With the visibility limited to IP address (as there is no SSL Interception), matching of category is best effort. Any destination IP based rules should work just fine. Unless there is SSL Interception, there won't be an effective control.

Hi Aravind,

So, we cannot control the user access based on the catorgory in the transparent mode?

in the same setup if i enable detect protocol option, how it will work, still need to do ssl intercept?

Thanks,

Ram.

Hi Ram,

                For effective working of the Category or url based policies, we need to have SSl Interception enabled in case of Transparent setup. This is due to the secure nature of transparent SSL which don't give much information on the website the client is trying to. For Explicit, this is not a challenge as the browser request the domain name in the format CONNECT www.google.com:443 with which proxy can check the rules. This don't need SSL interception to see the clear text information given along with CONNECT. Enabling protocol detection with TCP-Tunnel selected will enable the proxy to pass the HTTPS traffic (after identification) to the SSL Proxy service. This also don't give us anything extra unless we do SSL Interception.

Hmm, wouldn't ProxySG be able to use the Server Name Indication in the SSL Client Hello after enabling Protocol Detection, even without enabling SSL interception?

Otherwise, you could use a rule like "server.certificate.hostname.category="Social Networking" FORCE_DENY" to block connections. As long as clients are not using TLS 1.3 ProxySG should see the server certificate coming from the OCS and block or allow connections based on the Hostname in the certificate.

HI Fi-Da,

                Currently SNI based checks are not available on the proxy. SSL Proxy service is able to see it but might not set to act upon it yet. Might be there in a future release. The server.certificate.hostname.category will need the service to be intercepted by SSL Proxy (or TCP-Tunnel with DP enabled). Handing over to SSL proxy might end up in having certificate errors due to trust issue when proxy attempts to throw an exception. This is why I have mentioned that "Unless there is SSL Interception, there won't be an effective control". By this I also mean that the cert trust is established which is a must in SSL Interception. But yes, server certificate based control is bit better than having the blind TCP-Tunnel based one.