@jonathanlee [image: 1676082797244-screenshot-2023-02-10-at-6.32.55-pm-resized.png] I adapted this for testing and set it to stare all because of this statement on their website, "The following configuration obtains SNI by parsing TLS Client Hello (due to a matching peek rule at step1) and then either splices bank connections OR stares at the TLS Server Hello (due to a matching stare rule) and bumps non-bank connections (due to the default bump-after-stare rule)." It has a default bump after stare rule, so bump step 3 is not needed I am thinking. This also seemed to speed up everything. Ref: https://wiki.squid-cache.org/Features/SslPeekAndSplice

@viragomann I tried looking into absolute path but then why did it work when it was published with TMG? Nothing changed in the backeend.

@cyrus104 I was able to make this work by adding following custom ACL: [image: 1675623608382-2m3tjblqot.png]

@michmoor Thank you for your reply The Squid logs doesn't show any activity concerning the Outlook application only web traffic through the browser. when i try to reach our webmail it fails with tcp:denied. i added 993 465 and 2096 (webmail port) to the list of safe ports. Now the webmail works but not Outlook. As i have stated the end users needs to be routed through the 172.26.2.1 router because of our provider but the network doesn't have internet connection. The sole purpose of installing pfSense was to implement the proxy so the end users can use the internet(with exceptions added to the proxy), it's not really acting as a router.

@dbmandrake [image: 1675445648251-799ecc95-da12-4329-8986-86e3b8bbb51d-image.png] [image: 1675445525877-61216ded-5a50-4492-b951-3825dfab0c9d-image.png] Thanks for the info, it's working great. 9:29 AM test ran automatically.

It could be likely that your work laptop creates a VPN to your business network and thus would be invisible to other devices on your home network.. That is true of mine. That could be why other devices cannot ping it..

@dbmandrake thanks for the information on the auto update.

@dbmandrake It did not work for me unless I included the ip address of the firewall and the loopbacks in an alias, the other way it would just fail for me.

@michmoor exactly... To be honest, that is DO - in what scenario would they ever need to be inbound to you? Block all of their ASNs NetRange: 165.22.0.0 - 165.22.255.255 CIDR: 165.22.0.0/16 NetName: DIGITALOCEAN-165-22-0-0 pfblocker makes it easy to look up ASNs and put them into a alias and then block that completely from your services you don't want them to be able to talk to.. DO while is a big cloud provider - why would you have need of inbound traffic from them? They are not known for being to particular on how they allow their services to be used.

Thank you for this! Got my application to work. Much appreciated.