Cisco Cisco Web Security Appliance S670 Betriebsanweisung

Also see: 

For transparently redirected HTTPS requests, the Web Proxy must contact the destination server to 
determine the server name and therefore the URL category in which it belongs. Due to this, when the 
Web Proxy evaluates Routing Policy Group membership, it cannot yet know the URL category of an 
HTTPS request because it has not yet contacted the destination server. If the Web Proxy does not know 
the URL category, it cannot match the transparent HTTPS request to a Routing Policy that uses a URL 
category as membership criteria.

As a result, transparently redirected HTTPS transactions only match Routing Policies that do not define 
Routing Policy Group membership criteria by URL category. If all user-defined Routing Policies define 
their membership by URL category, transparent HTTPS transactions match the Default Routing Policy 
Group.

If the HTTPS request comes from a client that does not have authentication information available from 
an earlier HTTP request, AsyncOS either fails the HTTPS request or decrypts the HTTPS request in 
order to authenticate the user, depending on how you configure the HTTPS Proxy. Use the HTTPS 
Transparent Request setting on the Security Services > HTTPS Proxy page to define this behavior. Refer 
to the Enabling HTTPS Proxy section in Decryption Policies chapter.

Some HTTPS servers do not work as expected when traffic to them is decrypted by a proxy server, such 
as the Web Proxy. For example, some websites and their associated web applications and applets, such 
as high security banking sites, maintain a hard-coded list of trusted certificates instead of relying on the 
operating system certificate store.

You can bypass decryption for HTTPS traffic to these servers to ensure all users can access these types 
of sites. 

Create a custom URL category that contains the affected HTTPS servers by configuring the Advanced 
properties.