Hope you are doing well.
In case of Time/IP Based authentication which is generally used with transparent deployment does not work without HTTPS Scanning if you start browsing to an HTTPS web site as first request as their is no CONNECT request as well in transparent setup.
There is no CONNECT request in transparent proxy modes.If there is a CONNECT request MWG can answer a "302" and redirect the client to the authentication server for authentication. If SSL Scanner is enabled MWG can modify the response and redirect the client to the authentication server. If both is not present (transparent proxy, no SSL Scanner) MWG does not have any chance to authenticate the very first request if it is an HTTPS request.
The problem is if you don't have any existing authentication session and start browsing to an HTTPS web site., Since you don't have SSL Scanner enabled MWG cannot make a redirect to the authentication server.
If you go to an HTTP website and authenticate before you go to an HTTPS web site all is good, because then you have an existing authentication session.
thanks for the feedback.
i do have SSL scanner enable ruleset. and the ruleset is above authentication ruleset. but some how, when user goto https://mail.google.com it wont redirect it for authentication. and my setup is WCCP setup.
Perhaps the user experience can be improved in someway. Whats your session time set to? The default is 600.
As for why mail.google.com is not redirecting for authentication, I'm guessing it might have something to do with a bypass somewhere in the rules (but I could be wrong). Usually the bypass is under "Handle CONNECT Call".
As Jon said their is a chance that this URL is getting bypassed somewhere.
Chances are their SSL Scanner rule is not coming into picture for this URL.
Hi Jon and Alok,
i setup a new virtual MWG. with default ruleset. i tested. it not redirect to when user 1st connection is HTTPS://mail.google.com. and under SSL scanner do not have bypass URL too.
is weird for me now. because some of my user using a app which allow them to connect Gmail just click an icon. and it will prompt a page to HTTPS://mail.google.com. and it fail.
i think i confuse myself. just to summary above valuable finding from you guy.
in order to get authentication from above ruleset. SSL scanning need to be turn ON for WCCP setting. am i right?
after a cup of coffee. my mind getting fresh!.
SSL Scanning does need to be enabled in order to send a redirect for HTTPS websites. See more here: Best Practices: Giving your SSL Client some Context
At a bare minimum, the Handle CONNECT Call ruleset must be enabled (most of the time, all are enabled):
Inside of the ruleset, the request must hit set client context as well as Enable Certificate Verification. The rules may look a little different, but the idea is the same.
Thank Jon. this help me alot. very appreciate it.
i tested on my end. i turn on SSL scanner. and i notice below behavior.
what is the different between this 2? any other rule needed? WCCP mode.