Limitations of ETP Proxy

If a domain is considered risky or suspicious and as a result, directed to the ETP Proxy, these limitations apply to this traffic:

ūüďė

If any of these unsupported features are necessary for your network, you can configure requests to bypass the proxy by creating a custom list with the domains you want to allow. In a policy configuration, you then select the Allow action for the custom list.

  • No Expect-CT Handling. ETP Proxy does not check whether there is an Expect-CT HTTP header in traffic. This header alerts end users if invalid certificates are provided and typically ensures that certificates comply with an organization's certificate requirements.

  • No certificate expiration notification. ‚ÄčEnterprise Threat Protector‚Äč currently does not notify administrators when the certificate that is generated or uploaded to ETP expires. As a result, ETP administrators should set a reminder before the expiration date to rotate or create a new certificate. To view the certificate expiration of the certificate that is currently acting as a MITM CA TLS certificate, see View certificate information.

  • Client certificate authentication not supported. ETP Proxy does not support origin websites that require certificate authentication.

  • Extended validation (EV) certificates are not supported. Currently, ETP Proxy downgrades the certificate to domain-validated (DV) certificates. As a result, end users receive a DV certificate.

  • Support of an organization's CA store. If your organization uses a custom CA for TLS connections between the ETP proxy and the origin, ETP proxy cannot inspect this traffic.


Did this page help you?