Limitations of SIA Proxy

If a domain is considered risky or suspicious and as a result, directed to the ​SIA​ Proxy, these limitations apply to this traffic:


If any of these unsupported features are necessary for your network, you can configure requests to bypass the proxy by creating a custom list with the domains you want to allow. In a policy configuration, you then select the Allow action for the custom list.

  • No Expect-CT Handling. ​SIA​ Proxy does not check whether there is an Expect-CT HTTP header in traffic. This header alerts end users if invalid certificates are provided and typically ensures that certificates comply with an organization's certificate requirements.

  • No certificate expiration notification. ​Secure Internet Access Enterprise​ currently does not notify administrators when the certificate that is generated or uploaded to ​SIA​ expires. As a result, ​SIA​ administrators should set a reminder before the expiration date to rotate or create a new certificate. To view the certificate expiration of the certificate that is currently acting as a MITM CA TLS certificate, see View certificate information.

  • Client certificate authentication not supported. ​SIA​ Proxy does not support origin websites that require certificate authentication.

  • Extended validation (EV) certificates are not supported. Currently, ​SIA​ Proxy downgrades the certificate to domain-validated (DV) certificates. As a result, end users receive a DV certificate.

  • Support of an organization's CA store. If your organization uses a custom CA for TLS connections between the ​SIA​ proxy and the origin, ​SIA​ proxy cannot inspect this traffic.

  • No QUIC Support. ​SIA​ Proxy does not support the QUIC protocol, the technology that’s behind HTTP/3.