Disable deprecated SSL/TLS Versions
When using SSL-Inspection, it should be possible to deaktivate outdated TLS-versions like TLSv1.0 / 1.1.
It is recommended to disable SSLv3/ TLSv1.0 / 1.1 in the browser settings. This setting is useless, however, as the SWA always uses SSLv1.2 in the direction of the client.
So it can happen that a website with TLSv1.0 is requested, which is transferred to the client, on which TLSv1.0 is deactivated, with TLSv1.2.
That's a security problem.

1 comment
-
Peter commented
it should be easy enough to restrict the outbound HTTPS connection to the same cipher suites as the inbound HTTPS connection, this would then ensure the connection is secure along both legs EUD->SWG->SITE