I’ve just discovered that SSL decryption is not available for users connecting to a secondary proxy server port - update - this was an unannounced 'fix' introduced in 7.8.4 to 'correct' the earlier behaviour where SSL decryption was enabled on all proxy server ports in 7.8.1-7.8.3!
Using secondary proxy server ports is an invaluable option when using Rules-based authentication, but its value is severely compromised if it means SSL decryption is effectively disabled for those users in 7.8.4.
I couldn’t find any reference to this change of behaviour in the release notes or the known and resolved issues list for 7.8.4.Feature Request: Restore support for SSL decryption on the secondary HTTP proxy server ports in 7.8.4 and later. Currently Content Gateway will only inspect SSL traffic on proxy port 8080. Right now you cannot add additional ports to the HTTPS Proxy Server Port field in CG Manager > Configure > Protocols > HTTPS. This should be extended to allow administrators to add in the secondary proxy server ports, either through the GUI or through records.config (content_line).
I would consider the pre-7.8.4 behaviour where SSL decryption was enabled on all HTTP proxy server ports to be the desired and expected behaviour for a web security gateway. The unannounced change in 7.8.4 introduces a security loophole that could expose Websense customers using secondary proxy ports to risks of malware infection and data theft/leakage without them being aware of the danger.
I can understand the use case for disabling SSL decryption for a secondary proxy port – BYOD and explicit proxy springs to mind, but this change to the product should have been announced and ideally made optional through a records.config setting where the default setting left SSL decryption enabled for all HTTP proxy server ports.
In an ideal world, SSL Decryption would be enabled for all HTTP proxy server ports so that the product can fulfil its mandate as a web security gateway. Customers should then have the option to selectively disable SSL decryption for specific secondary proxy ports.
Example config settings to allow customers to control whether SSL decryption is enabled on all HTTP proxy server ports:
Proxy.config.ssl.all_server_ports_enabled INT 1
Or
Proxy.config.ssl.server_ports STRING 8080 18080 18081