Limitations of ETP Proxy

If a domain is considered risky or suspicious and as a result, directed to the ETP Proxy, the following limitations apply to this traffic.
Note: If any of these unsupported features are necessary for your network, you can configure requests to bypass the proxy by creating a custom list with the domains you want to allow. In a policy configuration, you then select the Allow action for the custom list.
  • No Expect-CT Handling. ETP Proxy does not check whether there is an Expect-CT HTTP header in traffic. This header alerts end users if invalid certificates are provided and typically ensures that certificates comply with an organization’s certificate requirements.
  • TLS 1.3 not supported. ETP Proxy supports TLS 1.2, 1.1, and 1.0. If TLS 1.3 is used, the protocol is negotiated to use TLS 1.2.
  • No certificate expiration notification. Enterprise Threat Protector currently does not notify administrators when the certificate that is generated or uploaded to ETP expires. As a result, ETP super administrators should set a reminder before the expiration date to rotate or create a new certificate. To view the certificate expiration of the certificate that is currently acting as a MITM CA TLS certificate, see View certificate information.
  • Client certificate authentication not supported. ETP Proxy does not support origin websites that require certificate authentication.
  • Extended validation (EV) certificates are not supported. Currently, ETP Proxy downgrades the certificate to domain-validated (DV) certificates. As a result, end users receive a DV certificate.
  • TLS renegotiation is not supported. ETP Proxy and the client (browser) or device cannot negotiate new parameters, keys, and more in an existing TLS connection. If TLS renegotiation is required, ETP proxy must establish a new connection.
  • Support of an organization’s CA store. If your organization uses a custom CA for TLS connections between the ETP proxy and the origin, ETP proxy cannot inspect this traffic.