07-05-2023
12:56 AM
- last edited on
07-05-2023
02:20 AM
by
rupeshah
Hello,
I would like to ask about WSA.
At web tracking, I see some lines with "http://URL" and some with "tunnel://URL".
What is the difference??
Thanks and regards,
Konstantinos
07-05-2023 01:38 AM
Hello @kostasthedelegate,
The "tunnel://URL" is related to a feature called HTTPS tunneling or SSL tunneling. In certain situations, when clients connect to websites using HTTPS, the WSA acts as a proxy and establishes a secure tunnel between the client and the destination server. This tunnel allows the WSA to inspect and apply security policies to the encrypted traffic.
During this process, the WSA intercepts the HTTPS traffic from the client, establishes a secure tunnel to the destination server, and forwards the encrypted traffic through the tunnel. The "tunnel://URL" you are seeing in web tracking logs represents the destination server URL within this secure tunnel.
07-05-2023 06:09 AM
Adding to the above response, tunnel:// is for Explicit HTTPS requests. If your proxy was transparently intercepting HTTP/HTTPS traffic you wouldn't see the "tunnel". This appears before any decryption, if it's configured to inspect HTTPS traffic. Transparent HTTPS Connections and Decrypted HTTPS connection, will appear as "https://..."
HTTP connections, both explicit and transparent, will always appear with "http://...".
Hope that helps.
Kind regards,
Konstantinos
07-06-2023 05:32 AM
Hello,
Thank you both for your answers.
So what is the difference between https:// and tunnel:// ?
Thanks and regards,
Konstantinos
07-06-2023 06:02 AM
Hello kostasthedelegate,
It's the same thing, but what might differ is the how the traffic is sent through the WSA and if it's been decrypted. In explicit deployments the clients send an HTTP CONNECT message to the web proxy.
tunnel:// means explicit HTTPS traffic before decryption or in pass through. If you pass-through the traffic you won't see another entry. If you decrypt it, then you see two entries, one with "tunnel" and another one with "https" that it's evaluated against your access policies.
https:// means transparent HTTPS traffic or after decryption (transparent or explicit). (After decryption you may also see the entire URL, not only the domain)
Hope that helps,
Konstantinos
07-12-2023 04:16 AM - edited 07-12-2023 04:18 AM
Hello @kostasthedelegate
To add above:
TCP_CONNECT - this shows traffic was received transparently (via WCCP or L4 redirect ...etc)
CONNECT - this shows traffic was received explicitly
DECRYPT_WBRS - this shows WSA has decided to Decrypt the traffic due to WBRS score
PASSTHRU_WBRS - this shows WSA has decided to Pass Through the traffic due to WBRS score
DROP_WBRS - this shows WSA has decided to Drop the traffic due to WBRS score
Please also note that:
tunnel:// (For Explicit Mode ) un-decrypted HTTPS traffic ( before Decryption or pass-though )
https:// decrypted traffic
Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide