Unable to reach a secure site (page not displayed) through the ProxySG or ASG. Protocol Detection is enabled.
Detect Protocol (or Protocol Detection) is enabled by default on ProxySG and Advanced Secure Gateway (ASG). This feature monitors the characteristics of a connection to determine what mechanism it should use to handle it.
There are many reasons why SSL Interception can fail which include, but are not limited to, the following:
Incompatibilities related to supported cipher suites between clients, proxy appliances and the OCS destinations.
Incompatibilities related to supported cipher ECs (Elliptic Curves) between clients, proxy appliances and the OCS destinations.
Non-standard traffic (per RFC guidelines)
Incorrectly configured, weak or expired certificates
Unreachable hosts / destinations
A workaround is to disable Protocol Detection for a single site or single domain.
Add the following syntax to the proxy Local Policy or via a "CPL Layer" in the proxy Visual Policy Manager (VPM):
; This script disables protocol detection.
; Detect Protocol (or Protocol Detection) is a ProxySG feature that looks
; into characteristics of a connection to determine what mechanism it should
; use to handle it. On occasion this needs to be disabled on exception
; (per site basis).
; For example, if an SSL connection comes into the ProxySG on port 80
; (typically used for HTTP instead of SSL), and if Protocol Detection is enabled,
; the ProxySG will see that it is actually SSL traffic and handle it as such.
; If Protocol Detection is disabled (it is disabled by default) the connection
; will be tunneled as it is not valid HTTP traffic. Protocol Detection can also
; be used to identify peer-to-peer traffic and many other types of traffic which
; may attempt to use non-standard ports.
; For more information refer to:
; - Tech243402 (https://support.symantec.com/en_US/article.TECH243402.html)
; - Tech243102 (What is Detect Protocol and what does it do?)
; Condition Note(s):
; - To disable by URL, use the syntax ---> url.domain=example.com
; - To disable by Destination IP, use the syntax ---> url.address=10.10.10.10
; - To disable by User Agent, use the syntax ---> User-Agent="application-specific-agent-name"
define condition PDExceptionList
end condition PDExceptionList
;############ END Disable Protocol Detection ############
Examples of the various 'detect_protocol' CPL code