Limitations of SIA Proxy
If a domain is considered risky or suspicious and as a result, directed to the βSIAβ Proxy, these limitations apply to this traffic:
If any of these unsupported features are necessary for your network, you can configure requests to bypass the proxy by creating a custom list with the domains you want to allow. In a policy configuration, you then select the Allow action for the custom list.
-
No Expect-CT Handling. βSIAβ Proxy does not check whether there is an Expect-CT HTTP header in traffic. This header alerts end users if invalid certificates are provided and typically ensures that certificates comply with an organization's certificate requirements.
-
No certificate expiration notification. βSecure Internet Access Enterpriseβ currently does not notify administrators when the certificate that is generated or uploaded to βSIAβ expires. As a result, βSIAβ administrators should set a reminder before the expiration date to rotate or create a new certificate. To view the certificate expiration of the certificate that is currently acting as a MITM CA TLS certificate, see View certificate information.
-
Client certificate authentication not supported. βSIAβ Proxy does not support origin websites that require certificate authentication.
-
Extended validation (EV) certificates are not supported. Currently, βSIAβ Proxy downgrades the certificate to domain-validated (DV) certificates. As a result, end users receive a DV certificate.
-
Support of an organization's CA store. If your organization uses a custom CA for TLS connections between the βSIAβ proxy and the origin, βSIAβ proxy cannot inspect this traffic.
-
No QUIC Support. βSIAβ Proxy does not support the QUIC protocol, the technology thatβs behind HTTP/3.
Updated almost 2 years ago