Limitations of SIA Proxy

If a domain is considered risky or suspicious and as a result, directed to the ​SIA​ Proxy, these limitations apply to this traffic:

📘

If any of these unsupported features are necessary for your network, you can configure requests to bypass the proxy by creating a custom list with the domains you want to allow. In a policy configuration, you then select the Allow action for the custom list.

• No Expect-CT Handling. ​SIA​ Proxy does not check whether there is an Expect-CT HTTP header in traffic. This header alerts end users if invalid certificates are provided and typically ensures that certificates comply with an organization's certificate requirements.

• No certificate expiration notification. ​Secure Internet Access Enterprise​ currently does not notify administrators when the certificate that is generated or uploaded to ​SIA​ expires. As a result, ​SIA​ administrators should set a reminder before the expiration date to rotate or create a new certificate. To view the certificate expiration of the certificate that is currently acting as a MITM CA TLS certificate, see View certificate information.

• Client certificate authentication not supported. ​SIA​ Proxy does not support origin websites that require certificate authentication.

• Extended validation (EV) certificates are not supported. Currently, ​SIA​ Proxy downgrades the certificate to domain-validated (DV) certificates. As a result, end users receive a DV certificate.

• Support of an organization's CA store. If your organization uses a custom CA for TLS connections between the ​SIA​ proxy and the origin, ​SIA​ proxy cannot inspect this traffic.

• No QUIC Support. ​SIA​ Proxy does not support the QUIC protocol, the technology that’s behind HTTP/3.