HTTP vs Tunnel

kostasthedelegate · ‎07-05-2023

Hello,

I would like to ask about WSA.

At web tracking, I see some lines with "http://URL" and some with "tunnel://URL".

What is the difference??

Thanks and regards,

Konstantinos

M02@rt37 · ‎07-05-2023

Hello @kostasthedelegate,

The "tunnel://URL" is related to a feature called HTTPS tunneling or SSL tunneling. In certain situations, when clients connect to websites using HTTPS, the WSA acts as a proxy and establishes a secure tunnel between the client and the destination server. This tunnel allows the WSA to inspect and apply security policies to the encrypted traffic.

During this process, the WSA intercepts the HTTPS traffic from the client, establishes a secure tunnel to the destination server, and forwards the encrypted traffic through the tunnel. The "tunnel://URL" you are seeing in web tracking logs represents the destination server URL within this secure tunnel.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Konstantinos9 · ‎07-05-2023

Hello kostasthedelegate,

Adding to the above response, tunnel:// is for Explicit HTTPS requests. If your proxy was transparently intercepting HTTP/HTTPS traffic you wouldn't see the "tunnel". This appears before any decryption, if it's configured to inspect HTTPS traffic. Transparent HTTPS Connections and Decrypted HTTPS connection, will appear as "https://..."

HTTP connections, both explicit and transparent, will always appear with "http://...".

Hope that helps.

Kind regards,

Konstantinos

kostasthedelegate · ‎07-06-2023

Hello,

Thank you both for your answers.

So what is the difference between https:// and tunnel:// ?

Thanks and regards,

Konstantinos

Konstantinos9 · ‎07-06-2023

Hello kostasthedelegate,

It's the same thing, but what might differ is the how the traffic is sent through the WSA and if it's been decrypted. In explicit deployments the clients send an HTTP CONNECT message to the web proxy.

tunnel:// means explicit HTTPS traffic before decryption or in pass through. If you pass-through the traffic you won't see another entry. If you decrypt it, then you see two entries, one with "tunnel" and another one with "https" that it's evaluated against your access policies.

https:// means transparent HTTPS traffic or after decryption (transparent or explicit). (After decryption you may also see the entire URL, not only the domain)

Hope that helps,

Konstantinos

amojarra · ‎07-12-2023

Hello @kostasthedelegate

To add above:

TCP_CONNECT - this shows traffic was received transparently (via WCCP or L4 redirect ...etc)
CONNECT - this shows traffic was received explicitly

DECRYPT_WBRS - this shows WSA has decided to Decrypt the traffic due to WBRS score
PASSTHRU_WBRS - this shows WSA has decided to Pass Through the traffic due to WBRS score
DROP_WBRS - this shows WSA has decided to Drop the traffic due to WBRS score

When HTTPS traffic is decrypted, WSA will log two entries.
TCP_CONNECT or CONNECT depending on the type of request being received and "GET https://" showing the decrypted URL.
Full URL will only be visible if WSA decrypts the traffic.

Please also note that:

In transparent mode, WSA will only see the destination IP address initially
In explicit mode, WSA will see the destination hostname

tunnel:// (For Explicit Mode ) un-decrypted HTTPS traffic ( before Decryption or pass-though )

https:// decrypted traffic

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++