In troubleshooting authentication issues, you may find the following error in a policy trace:
EXCEPTION(configuration_error): Authentication failed because of a configuration problem Last Error: Failure to authenticate a tunneled SSL request. This is typically caused when authentication policy is applied to tunneled SSL connections.
Please contact your network administrator to either exempt tunneled SSL traffic from authentication or to create suitable SSL interception policy for first intercepting SSL connections as HTTPS and then authenticating them.
This exception page is issued in cases where proxy is unable to issue an authentication challenge within an encrypted session, because the proxy is not decrypting that session.
Because authentication challenges cannot be injected into an encrypted exchange, authentication must be bypassed for the URL. There are several methods to achieve this:
Use a Regular expression in policy to match the do not authenticate rule. NOTE: Regex rules may use more resources to process
Add the following to the CPL local policy file:
<Proxy> url.regex="ssl://" authenticate(no)
Use the VPM to define a rule based on the ssl:// prefix on the Web Authentication layer:
Under Destination right-click > Set > New > Request URL > Select Regular Expression Match > add ssl:// > OK > click Install Policy
Create a rule to only authenticate requests where the scheme is HTTP or HTTPS, this will prevent tunneled traffic from matching
Find your rule which is currently configured to trigger authentication
Right-click destination -> Set -> New -> Combined Destination Object
Click New ->Request URL Object
Give the Object a name
Then Click Advanced Match and change Scheme to HTTP and Click Add (Then do the same for HTTPS)
F. Once both objects are created, select each object and click Add to add the objects to the top right box
Your rule should appear as follows:
Imported Document ID: 000009488
Subscribing will provide email updates when this Article is updated. Login is required.