CONNECT requests fail when using authentication involving redirects, forms-based authentication, or origin-type authentication
Last Updated May 13, 2017
You may see the ProxySG appliance returning an exception when a browser makes a CONNECT request. The CONNECT method is used when a browser is explicitly configured to use a proxy and an HTTPS request is made.
The ProxySG appliance consistently responds with an HTTP 403 Forbidden "Appliance Error (configuration_error)" message to all browsers. It entirely relies on individual browsers' behavior to handle the response. Certain browsers (usually older ones) might be able to render the exception page, while others might show a "Page cannot be displayed" or "Connection refused" error.
Refer to the web browser’s vendor for more information on their response.
The following restriction exists when making a CONNECT request when an authentication scheme is configured that uses redirection. Examples include origin-ip-redirect, origin-cookie-redirect, and forms-based authentication.
Because the appliance does not have visibility into the actual URL requested by the client on a CONNECT request, it will never be able to redirect the client to the originally requested URL after authentication occurs.
The following are suggested workarounds:
bypass authentication for CONNECT requests using policy
use standard proxy authentication for CONNECT requests
setting the default page to any HTTP web site in the browser. However, it does not work if the browser idles timeout.
through SSL Interception
Use the authenticate.tolerate_error(cannot_redirect_connect) action with SSL Interception for unauthenticated sessions. This will allow the ProxySG to intercept only unauthenticated HTTPS sessions and authenticate at the HTTPS layer instead of HTTP CONNECT.