Forum Discussion

Peter_chan's avatar
Peter_chan
Icon for Nimbostratus rankNimbostratus
Mar 02, 2018

How to bypass the similar domain in SSL Orchestrator

How to configure the SSL Orchestrator to bypass the same domain like "login.skype.com", "api.asm.skype.com". I have try to configured the ".*skype.com" and "*.skype.com" but no use.  
iRules
security
ssl forward proxy
xRes's avatar
xRes
Icon for Cirrus rankCirrus
Mar 19, 2018

Hi Peter

 

The easiest way would be to create a DataGroup (type: string), lets call it "sslo-bypass". Declare your domain name as a string with no value - then create TCP Service Chain Classifier with your "sslo-bypass" DataGroup set as a destination and Service Chain value set to "Bypass". While adding string records for "skype.com" to datagroup remember to add "skype.com" as well as ".skype.com!" for subdomains of skype.com (* will not work here).

 

You can use the same method to block certain domains just by setting SC value to Reject. The only problem with this case scenario is that what you get is just a tcp reset - so the user sees "Secure Connection Failed" instead of nicely looking "blocking page" telling him "Your request has been rejected by our security dept.".

 

Regards