Regenerating a software license for ProxySG 300-5 and 9000-5/10/20 units adds an SSL-Proxy license; in some cases, this can cause SSL traffic to be blocked
Last Updated May 13, 2017
SG300-5 SG9000-5 SG9000-10 SG9000-20
SG9000-30/40, SG300-10/35, SG600 and SG900 units all have the SSL Proxy functionality present by default. This change does not impact SG210, SG510, SG810 or SG8100 units.
When regenerating a software license for the above-mentioned hardware (common when adding or removing a feature from a licensed product), an SSL Proxy license will be added. The addition of an SSL Proxy license can cause traffic directed to SSL sites to be blocked in the following use cases:
1. If all of the following are true:
A TCP-Tunnel or HTTP service is configured and set to "Intercept"
Protocol Detection has been enabled on that service (it is disabled by default)
SSL traffic is sent through that service
2. If at any time in the past an SSL-Intercept policy was created, but not disabled because there was no valid SSL Proxy license.
3. If a SOCKS proxy or "Default" service is configured to intercept, and protocol detection has been enabled (again, this is disabled by default).
In these cases, blockage occurs when SSL traffic goes to a server that uses an SSL certificate that is not trusted by the ProxySG appliance. When this happens, the client will not be given an option to accept the untrusted certificate and the client will be delivered an exception page (denial).
To prevent these blockages, you can do one of two things:
A) Add a policy to disable SSL interception •In the Visual Policy Manager, create a NEW "Web Access Layer" (do NOT reuse an existing one for this). •Change the action on the rule to "Disable SSL Detection" instead of the "deny" present in that rule by default. •This layer should be placed last to ensure the rule is applied. To change its location, click the Edit menu, then "Reorder layers..." option. oIf you are using a combination of policies using the Visual Policy Manager and another policy file such as Local or Central, please open a support ticket for assistance in getting this policy installed in those files.
B) Disable protocol detection on all service ports where SSL traffic may inadvertently go.
NOTE: Regenerating the license (and therefore adding the SSL Proxy license) is a permanent change. You cannot revert the license to remove the SSL Proxy functionality.
Previously, the SSL Proxy license was offered as an option that was purchased separately. Complimentary SSL Proxy licenses are now offered to provide more functionality on the latest generation hardware at no additional cost. Complimentary licenses are not available on older-generation hardware.
Do not regenerate the license if you wish to retain the old functionality.
This is an intentional change, and thus there is no "resolution" for this.
Imported Document ID: 000007621
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe