Block page for SSL Decrypt Bypass traffic

  • 26 April 2022
  • 2 replies
  • 97 views

Badge +2

I am interested to know how other customers are able to present a block page when a user is browsing from a network segment that has an SSL Decrypt Bypass policy applied.  Currently, users are shown a generic "this site can't be reached" message versus our branded block page.  Netskope Support stated the branded block page (custom User Notification) cannot be displayed since Netskope is not intercepting the traffic due to the SSL Decrypt bypass policy.  Is anybody else experiencing the same issue?


2 replies

Userlevel 1
Badge +9

Hi Dbrattrbi

 

From a technical perspective, when a client/browser makes a HTTP request over an SSL session (HTTPS), the proxy in the middle (e.g Netskope) has 2 options:

 

1. SSL intercept the connection and return its own HTTP content inside the SSL tunnel.

2. Terminate the TCP connection with a TCP RESET

 

Without SSL interception being enabled (because there is a bypass in place) the proxy (Netskope) cannot open the encrypted SSL tunnel and return its own block page back to the browser.

 

Therefore, the only option is for the connection to be terminated with a TCP RESET. When the connection is terminated, the browser doesn't know why and the proxy can't return a reason (e.g a HTTP 403 response code), resulting in the generic browser error you see.

 

I hope that helps explain the actual reason why having an SSL bypass results in a generic browser error, rather than the branded block page?

 

Userlevel 5
Badge +15

Hi, @Dbrattrbi. Thanks for joining the Netskope Community!  

 

If @rthomson provided you with an acceptable solution to your question, can you mark the reply as "Accept as Solution"? An Accepted Solution is a way for you to choose the response that best answers a question that you've posted. When you accept a solution, both the question and the solution get unique icons and links that take you directly from the question to the answer.  

 

Thanks for contributing to the Netskope Community. 

 

 

 

 

Reply