Tunneled traffic using CONNECT request is allowed when the destination port is not 443. The traffic should be blocked if the destination port is not 443.
If there is no matching policy in the Visual Policy Manager (VPM) or in the Local policy file, the ProxySG appliance enforces the default policy. For security reasons, whether the default policy is Deny or Allow, the appliance does not allow CONNECT on ports other than 443.
If a matching policy rule exists in the VPM or Local policy file, the matching policy overrides the default policy action and changes the default behavior. If the configured policy rule allows the transaction, non-SSL traffic on ports other than 443 are allowed.
To avoid this issue, add the following CPL code in your local policy file.
<Proxy> ;if url port is not 443 AND if the non-standard SSL port is not allowed, then deny DENY http.method=CONNECT url.port=!443 detect_protocol(none)
To allow certain non-standard SSL tcp ports, add an exception condition.
<Proxy> ;if url port is not 443 AND if the non-standard SSL port is not in allowed list, then deny DENY condition=!Allowed_non-standard_SSLport http.method=CONNECT url.port=!443 detect_protocol(none)
define condition Allowed_non-standard_SSLport url.domain=host1.domain1.tld url.port=1234 url.domain=host2.domain2.tld url.port=2345 end
Imported Document ID: 000014194
Subscribing will provide email updates when this Article is updated. Login is required.