HTTP vs Tunnel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2023
12:56 AM
- last edited on
07-05-2023
02:20 AM
by
rupeshah
Hello,
I would like to ask about WSA.
At web tracking, I see some lines with "http://URL" and some with "tunnel://URL".
What is the difference??
Thanks and regards,
Konstantinos
- Labels:
-
Web Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2023 01:38 AM
Hello @kostasthedelegate,
The "tunnel://URL" is related to a feature called HTTPS tunneling or SSL tunneling. In certain situations, when clients connect to websites using HTTPS, the WSA acts as a proxy and establishes a secure tunnel between the client and the destination server. This tunnel allows the WSA to inspect and apply security policies to the encrypted traffic.
During this process, the WSA intercepts the HTTPS traffic from the client, establishes a secure tunnel to the destination server, and forwards the encrypted traffic through the tunnel. The "tunnel://URL" you are seeing in web tracking logs represents the destination server URL within this secure tunnel.
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2023 06:09 AM
Adding to the above response, tunnel:// is for Explicit HTTPS requests. If your proxy was transparently intercepting HTTP/HTTPS traffic you wouldn't see the "tunnel". This appears before any decryption, if it's configured to inspect HTTPS traffic. Transparent HTTPS Connections and Decrypted HTTPS connection, will appear as "https://..."
HTTP connections, both explicit and transparent, will always appear with "http://...".
Hope that helps.
Kind regards,
Konstantinos
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2023 05:32 AM
Hello,
Thank you both for your answers.
So what is the difference between https:// and tunnel:// ?
Thanks and regards,
Konstantinos
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2023 06:02 AM
Hello kostasthedelegate,
It's the same thing, but what might differ is the how the traffic is sent through the WSA and if it's been decrypted. In explicit deployments the clients send an HTTP CONNECT message to the web proxy.
tunnel:// means explicit HTTPS traffic before decryption or in pass through. If you pass-through the traffic you won't see another entry. If you decrypt it, then you see two entries, one with "tunnel" and another one with "https" that it's evaluated against your access policies.
https:// means transparent HTTPS traffic or after decryption (transparent or explicit). (After decryption you may also see the entire URL, not only the domain)
Hope that helps,
Konstantinos
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2023 04:16 AM - edited 07-12-2023 04:18 AM
Hello @kostasthedelegate
To add above:
TCP_CONNECT - this shows traffic was received transparently (via WCCP or L4 redirect ...etc)
CONNECT - this shows traffic was received explicitly
DECRYPT_WBRS - this shows WSA has decided to Decrypt the traffic due to WBRS score
PASSTHRU_WBRS - this shows WSA has decided to Pass Through the traffic due to WBRS score
DROP_WBRS - this shows WSA has decided to Drop the traffic due to WBRS score
- When HTTPS traffic is decrypted, WSA will log two entries.
- TCP_CONNECT or CONNECT depending on the type of request being received and "GET https://" showing the decrypted URL.
- Full URL will only be visible if WSA decrypts the traffic.
Please also note that:
- In transparent mode, WSA will only see the destination IP address initially
- In explicit mode, WSA will see the destination hostname
tunnel:// (For Explicit Mode ) un-decrypted HTTPS traffic ( before Decryption or pass-though )
https:// decrypted traffic
Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
