Limitations of SIA Proxy

If a domain is considered risky or suspicious and as a result, directed to the ‚ÄčSIA‚Äč Proxy, these limitations apply to this traffic:


If any of these unsupported features are necessary for your network, you can configure requests to bypass the proxy by creating a custom list with the domains you want to allow. In a policy configuration, you then select the Allow action for the custom list.

  • No Expect-CT Handling. ‚ÄčSIA‚Äč Proxy does not check whether there is an Expect-CT HTTP header in traffic. This header alerts end users if invalid certificates are provided and typically ensures that certificates comply with an organization's certificate requirements.

  • No certificate expiration notification. ‚ÄčSecure Internet Access Enterprise‚Äč currently does not notify administrators when the certificate that is generated or uploaded to ‚ÄčSIA‚Äč expires. As a result, ‚ÄčSIA‚Äč administrators should set a reminder before the expiration date to rotate or create a new certificate. To view the certificate expiration of the certificate that is currently acting as a MITM CA TLS certificate, see View certificate information.

  • Client certificate authentication not supported. ‚ÄčSIA‚Äč Proxy does not support origin websites that require certificate authentication.

  • Extended validation (EV) certificates are not supported. Currently, ‚ÄčSIA‚Äč Proxy downgrades the certificate to domain-validated (DV) certificates. As a result, end users receive a DV certificate.

  • Support of an organization's CA store. If your organization uses a custom CA for TLS connections between the ‚ÄčSIA‚Äč proxy and the origin, ‚ÄčSIA‚Äč proxy cannot inspect this traffic.

  • No QUIC Support. ‚ÄčSIA‚Äč Proxy does not support the QUIC protocol, the technology that‚Äôs behind HTTP/3.