HTTPS traffic is intercepted and decrypted to provide security and ruleset enforcement at the URL layer and visibility into the URL path. By default, HTTPS inspection attempts to decrypt all HTTPS traffic.
In simple terms, the connection is proxied, and Umbrella inspects all the HTTP/S headers.
There are two SSL connections,
1) User to SIG TLS connection
2) SIG -> Actual site TLS connection
View the certificate to verify if the connection is proxied:
The Issued by field in the certificate would be Cisco for any site that is proxied.
Selective Decryption List
This list bypasses the HTTPS inspection. The traffic is not proxied but just NATed.
View the certificate to verify if the connection is un-decrypted:
The Issued by field in the certificate would be a Certificate Authority for the domain that isn't proxied.
Some sites use Source IP for session persistence with the keep-alive header using beacon API (advertisement packets using API).
In some scenarios, a session might be terminated/interrupted for some reason. If the client uses the previous session ticket to resume the session (SSL resumption)- the server would reject.
Umbrella switches to different Source IPs for load balancing, and that creates a problem.
Connections will fail/terminate for sites that use Source IP in session tickets and session persistence with the keep-alive header.
Umbrella has added 188.8.131.52/18 egress IP range which is used to maintain persistent (static) IP for a connection. This means that the source IP would remain the same throughout a connection.
This feature now works only with the un-decrypted traffic- the domains, applications, categories under the Selective Decryption list.
1) Confirm if the domain/category is under the Selective Decryption list.
2) Check if the PC is connecting to the 184.108.40.206/18 egress IP range for HTTPS traffic.
Note: If the traffic flows through 220.127.116.11/16 even when the domain is added to the Selective decryption list, then double-check if 18.104.22.168/18 is allowed in your network.
HTTPS connection is established to 22.214.171.124/16 for a domain under Selective decryption list only when it cannot connect to 126.96.36.199/18 IP range.
3) Disable DPI-SSL on the firewall to avoid proxy chaining.
4) If it still fails, add the domain to the External Domain list.
If you are still facing issues, please contact Umbrella support at email@example.com.