Facebook is not displaying its page/images properly when SSL Decryption is enabled
any ideas why ?
*Note: I have a rule allowing ANY destination with ANY application with ANY service, also another rule i tried was with ANY destination with Explicitly allowing all facebook applications on service ANY, and yet it didn't work.
My SSL Forward certificate is 1024-bit sha-1
Are you using any URL categories in the decrypt rule.
How abt using IE/Chrome?
A lot of sites like this don't like you to have a SSL decrypt rule in place. I have had the same problem with Dropbox and in the end I had to put a no-decrypt rule in specifically for the people who use that service.
Basically, the site is saying that it doesn't like you doing something in the middle of the transmitting, like SSL decryption. Those sites will generally give you a reduced webpage much like what your screenshot showed.
Try going to your Decryption rules and adding one that says, Any source, any destination, URL category as only Facebook, no decrypt and ssl-forward Proxy. If that works you may want to restrict it down to specific sources or specific destination zone.
The reason the dropbox client doesnt work is that the dropbox client has a hardcoded ssl cert that if this doesnt match (as when ssl decryption is in progress) the client refuse to connect - same goes with windowsupdate (that is the client - not when used through webbrowser) for that matter.
However the dropbox through webbrowser will still work even if you do ssl decryption.
Regarding facebook you should check your browser that the facebook server cert isnt already preloaded. I think both firefox and google chrome started to do something like that last year or so.
What you then need to do, except adding the cert used to create these MITM ssl certs as a trusted CA, is to clear any preloaded server certs regarding facebook.
Also note that facebook uses various CDN which also must be reachable by the client.
Except for this - how is your ssl decrypt rule setup?
No. I have a rule that says Decrypt all sites. Unless I have another rule in saying no-decrypt on dropbox then the website does not work. Gives an SSL error.
I know about the Dropbox client and the hardcoded SSl cert as I had to change that to get it to work, but this is a website both ksabry and I are talking about, not any client software. And in these cases if you have a decrypt all sites rule in place, then you would need a no-decrypt rule for certain sites. Such as banking sites for instance. They don't like it when you decrypt their traffic before it gets to the end point and will not allow you to log on.
Unless the bank uses a client cert (which very few does) - how would the bank be able to detect that the ssl traffic is being intercepted at the client end according to you ?
Regarding the Facebook problem - verify if they only accept TLS 1.1 or newer? If so then PA might lack support to handle TLS 1.1 and newer ssl based communication.
Well perhaps I should have quantified that statement a little bit. OUR banking sites don't like it when the traffic is decrypted before getting to the end point. And yes, ours does use Cert. We have a card reader that we have to pull the certs from a card they send us to get it to all work properly. But that is getting a bit off topic.
All I was suggesting is to try a no-decrypt rule to see if that allows him through as that is what worked for me in other cases. Not facebook though as we block that across the board.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!