as the CAC is nothing else, but a client certificate stored on a card, this error sounds logical! Webgateway is intercepting the SSL Traffic with SSL Scanner. Therefore there is not direct connection between Client and Web Server. In case someone is logging in with their CAC this information is only available on the client side of MWG, whereas it is not on the server side, thus it fails! The only solution is to identify these hosts/applications and whitelist them from SSL Scanning.
We actually whitelisted the destination IP addresses...that took some tracking down but it appears to work. I would however rather whitelist the application application itself but I'm not sure which property string to use. Any ideas?
Hmm...that woudl require some debuging... By application I suspect you mean the application on the client?
Yes the work station hosts the application that the card reader uses. We'd like to be able to allow the application to bypass or blow through the Web Gateway without any filtering or inspection of that application.
OK, we might have chance to check if the application has a specific User-Agent!
Looking into SSL traffic, the user agent is in clear usually:
CONNECT www.facebook.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Can you find if the application has a useragent? It might be recorded in the logfiles, or you can do a TCPdump on MWG to see the SSL traffic and then read it with wireshark.
A rule then could look like:
Header.Get(User-Agent) matches *My-Own-Application* STOP CYCLE.
Put that as high as you can in the rule tree.