Allow specific HTTPS URL yet block access to its domain in an Explicit environment.
Last Updated March 23, 2019
The purpose of this article is to provide a way to allow traffic to a specific URL while at the same time blocking access to the domain the URL is part of. This only applies to Explicit scenarios, as the CONNECT method is only present in this kind of deployment.
This article assumes you are performing SSL Interception on the domain in question.
Two rules will be needed, and one way of doing it is as follows:
Create a rule in a Web Access layer to allow the specific site when using the CONNECT method
Create a rule in a separate Web Access layer to allow traffic for a specific URL within that domain.
Create another rule below the one we’ve just created and set the domain you want to block, set the action to deny (this time without setting the CONNECT method).
The proxy will receive a CONNECT request from the client, it will go through policies and be allowed.
Then one of the following will happen:
If the encrypted request example.com/path.html – The request will be allowed.
If the encrypted request is anything other than the above on that domain, the request will be denied.