Can a WLC redirect HTTPS traffic in a CWA environment

Similar Messages

• How to redirect https traffic to captive portal?

  Any WLC controller model (8500/5508/2504/vWLC) version 7.3 and up..
  This is unusual scenario wherein clients have a default homepage to https://www.google.com (sample only)
  Typical http web redirection don't have any problem at all. When you open your browser and type http://www.google.com it will redirect to captive portal without any problem.
  Is there any way to redirect https traffic to captive portal as well?

  redirection only happen on http traffic, a feature request has been issued to have the redirection happen on https.
  please check the following
  CSCar04580
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCar04580
  Please make sure to rate correct answers

• Is it possible to redirect https traffic to http in CSM?

  Hello,
  I have a requirement to redirect https traffic to http. Is it possible to do that in the CSM?
  In the CSM documentation all redirect examples/config etc refer only to http traffic so I am wondering if the other way around is supported as well.
  BTW I have already tried it on the CSM and it is not working. Everytime I try to reach the https url I get "ERROR_INTERNET_SECURITY_CHANNEL_ERROR" on http watch.
  Thanks for any help offered.
  Murtaza

  I don't have a config in hands for this.
  I have done it before and know this is feasible.
  The redirect is here :
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00802877f6.shtml
  Just change the vip to be only accessible by the SSLM.
  Create the appropriate redirect vserver.
  On the SSLM, send the decrypted traffic to the vip address and port.
  Just as if the Vip was a server.
  Gilles.

• ISE Guest Portal only redirect HTTPS traffic.

  I have a wireless deployment consisting of the following:
  5760 WLC & ISE 1.2
  Am I missing something here
  I have 4 similar deployments, and never had these issues:
  On Android / Apple devices, the guest portal does not pop up automatically &
  On a Windows Laptop only https traffic directs to the guest portal.
  Thanx

  i think you need to recheck the configuration also check the link for step by step config
  http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html

• SG300 Redirect HTTP Traffic to Proxy

  Dear Cisco Community,
  We have the following setup
  1 x SG300 Switch in Layer 3 Mode
  VLAN 100 (Management VLAN)
  VLAN 200 (Data VLAN for Internet Users)
  The SG300 has an IP4 Interface in each VLAN:
  100: 10.1.1.254 / 24
  200: 10.1.2.254 / 24
  The internet gateway (Zyxel USG-100) is located in VLAN 100.
  In order to restrict the web browsing acitivites, we're in the process of implementing a Proxy server (GFI Webmonitor).  Is it possible, to redirect all HTTP and HTTPS traffic which arrives at the SG300's VLAN200 IP interface to the proxy server?  I was thinking of a static route, but then this would apply to all traffic.  Another option would be to block port 80/443 traffic using an ACL I suppose=
  Any input will be highly appreciated, thank you!
  Kind regards,
  Romeo

  Hi Mohamad,
  I've seen this done in slightly different ways.  One way is at the very bottom of the following examples from the Cisco.com CSM-S config guide:
  CSM-S Configuration Examples
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/cfgxpls.html
  Another way is like this:
  serverfarm REDIRECT
    nat server
    no nat client
     redirect-vserver REDIRECT
      webhost relocation https://www.example.com/
      inservice
  serverfarm SSL_DC
    no nat server
    no nat client
    real 192.168.78.36 local
     inservice
  vserver VSERVER_80
    virtual 192.168.78.35 tcp 80
    serverfarm REDIRECT
    persistent rebalance
    inservice
  vserver VSERVER_443
    virtual 192.168.78.35 tcp 443
    serverfarm SSL_DC
    persistent rebalance
    inservice
  Hope this helps get you started.
  Sean

• Redirecting http traffic to the proxy server

  Hi,
  We have a requirement to divert web traffic to blue coat proxy through firewall. Below is the setup
  Requirement:
  We need to divert web traffic from 10.20.200.0/23 [DMZ-STAFFNET] and point it to Bluecoat proxy to process the packets.
  Now that ASA doesn't support PBR to accomplish this, how can we accomplish this ? 

  Hi,
  To list one limitation that you might see in your scenario , You would only be able to redirect the subnets to the proxy from those subnets which are physically behind the interface where the WCCP server resides only. i.e. UNTRUST
  Now , talking about the NAT , why don't you try this NAT if you don't want to NAT the Source part of the Traffic:-
  (DMZ-STAFFNET) to (bluecoat) source static DMZ-STAFFNET DMZ-STAFFNET destination static internet proxy-server service original-http proxy-8080
  Also , ASA now supports Policy Based routing from ASA 9.4.1 :)
  Thanks and Regards,
  Vibhor Amrodia

• Redirect HTTPS traffic to HTTP in Tomcat

  Hi,
  We are running SAP BI Platform 4.0 SP2 Patch 7, which runs on top of Tomcat 6.
  We have succesfully configured our iPads to connect to our SAP BusinessObjects server using HTTPS in internet. We have an application proxy that handles HTTPS and sends plain HTTP to the SAP BusinessObjects server.
  The problem is that same connection do not work when users are accessing our intranet, because the SAP BusinessObjects server only accepts HTTP requests in port 8080.
  I have seen that Tomcat allows automatic redirections from HTTP to HTTPS ( using redirecPort parameter in HTTP connector definition ).
  But is it possible the opposite, to switch automatically HTTPS to HTTP ?
  Regards,
  Joan

  Hi,
  At last we have activated HTTPS support in Tomcat. The idea was to avoid HTTPS in BOBJ servers to save CPU usage but after some tests we can afford it.
  So no redirections are needed and the question is solved.
  Thanks,
  Joan

• Redirect http traffic

  I have two web servers, web1 and web2. I would like to set up the two web servers in such a way that some requests are answered by web1. Anything else will be redirected to web2.
  Does anyone know how to set it up in iPlanet?

  Hi,
  This can't be done with iWS (like some requests are answered by web1 and some by web2).
  Probably if a loadbalancer has this feature, this is possible.
  So kindly check out if any 3rd party load balancer has got this feature.
  Thanks,
  Daks.

• WCCP V2 Question (Redirect https)

  Hello all
  I have been successful in implementing wccp in my multiple vlan environment.
  Router is Cisco 2921
  G0/0 - Internet
  G0/1 - Squid Proxy
  G0/2 - Clients in multiple vlans
  Here is the config:
  ip wccp web-cache redirect-list 120
  interface GigabitEthernet0/2.1
  encapsulation dot1Q 3
  ip address 172.16.1.1 255.255.255.0
  ip wccp web-cache redirect in
  ip nat inside
  interface GigabitEthernet0/2.2
  encapsulation dot1Q 2
  ip address 172.16.2.1 255.255.255.0
  ip wccp web-cache redirect in
  ip nat inside
  interface GigabitEthernet0/2.3
  encapsulation dot1Q 3
  ip address 172.16.3.1 255.255.255.0
  ip wccp web-cache redirect in
  ip nat inside
  access-list 120 remark REDIRECTION_CRITERIA
  access-list 120 deny   ip host 192.168.1.2 any
  access-list 120 permit tcp 172.16.1.0 0.0.0.255 any eq www
  access-list 120 permit tcp 172.16.2.0 0.0.0.255 any eq www
  access-list 120 permit tcp 172.16.3.0 0.0.0.255 any eq www
  access-list 120 deny   ip any any
  I have some questions:
  1) In the command "ip wccp web-cache redirect-list 120", "redirect-list 120" is not required since all vlans are clients.
  using  ip wccp web-cache redirect in under all subinterfaces alone would work.
  Am I correct ?
  2) How can I redirect HTTPS traffic to my squid proxy.

  Hello,
  1. "ip wccp web-cache redirect in"
  It would work if you squid proxy have another default gateway to internet.
  Otherwise the traffic from the SQUID is also forwarded. You have to use different interfaces for users and squid. On sabinterfeyse vlan SQUID you should not use a configuration wccp
  2. Web-cache permit only http. You must configuring Dynamic WCCP.
  some example:
  in global:
  ip wccp 120 redirect-list 120
  access-list 120 remark REDIRECTION_CRITERIA
  access-list 120 deny   ip host 192.168.1.2 any
  access-list 120 permit tcp 172.16.1.0 0.0.0.255 any eq www
  access-list 120 permit tcp 172.16.1.0 0.0.0.255 any eq 443
  access-list 120 permit tcp 172.16.2.0 0.0.0.255 any eq www
  access-list 120 permit tcp 172.16.2.0 0.0.0.255 any eq 443
  access-list 120 permit tcp 172.16.3.0 0.0.0.255 any eq www
  access-list 120 permit tcp 172.16.3.0 0.0.0.255 any eq 443
  access-list 120 deny   ip any any
  on interface:
  ip wccp 120 redirect in
  See link below for more information
  http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/12-4t/iap-wccp.html#GUID-5E9AE273-1AFD-4598-9325-85F8C822D168
  Best regards

• WLC - Redirect Traffic to Web Proxy

  Hi,
  We need to create Guest WLAN on WLC 5508 which will be used for internet access only.
  My questions are:
  1. Is it possible to use our external web proxy server to authenticate users?
  2. Can we also forward all traffic to the external web proxy to filter the websites that can be accessed (without configuring it on the browser)?
  3. Can this be achieved using the L3 webauth?
  Our topology:
  WLC -- Switch -- ASA Firewall -- Internet -- External Web Proxy
  We are using WLC as DHCP server for Guest WLAN with ASA Firewall as the gateway.
  Any inputs and ideas are appreciated.
  Many thanks.

  Otiynomed,
  I have come across this problem recently as well and ended up using an Internal DHCP server with Option 252 configured which will point Users towards our proxy for authentication. Unfortunately it isn't a perfect setup as the following issues occurred:
  If using Option 252, make sure the wpad file has an internal re-direction for the virtual interface of your anchor controller to allow web-auth redirection otherwise devices will try to get to that address externally
  Some devices don't support Option 252
  You have to set the devices to 'auto proxy discover' whether Windows or Apple
  If using devices running less than iOS 6 then embedding authentication in the proxy settings upon initial connection will still end up with users being prompted for HTTPS authentication constantly. HTTP traffic will work fine however.
  Android devices don't like Option 252 and most of the applications don't work with authentication via a proxy except browsing
  Alternatively, use web-auth but link it to an LDAP server or RADIUS server for authentication and use a transparent proxy. Problem solved

• Redirect all traffic to http

  Hello,
  I'm running Server 3.1.2 on OSX10.9, I was wondering if there was a way to send all traffic to http versions of webpages and not allow https? 
  I'm working at a school and our current content filter only works with http and doesn't filter https. 
  Sorry if I'm not clear, I'm new at this whole sysadmin thing.

  Hi,
  You can do that with .htaccess  or php
  Here a link https://sites.google.com/site/onlyvalidation/page/301-redirect-https-to-http-on- apache-server
  A+

• Redirect / Block non https traffic

  I have a quick question. Today I setup teaming 2.0 on SLES10.
  After customizing the SuSE firewall per the instructions everything is perfect. I then cut off non-secure port 80 traffic. Looked OK. I found that the email that teaming sends out is http://server, since I killed http traffic it's now broken. I tried changing the firewall rule to FW_REDIRECT="0/0,10.0.100.100,tcp,80,8443 to see if it would just redirect the port 80 traffic to 8443 on the server - but that did not work. Is their a place I can simply change the email to link to https://server?
  Any other thoughts?
  Cool product by the way!
  Tha
  Dennis

  Dennis,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Redirecting all HTTP traffic to HTTPS that will reverse proxy specific URI

  -- Requirement --
  I have a Sun web server 6.1 SP4 that sits in a DMZ that must securely reverse proxy traffic to an internal application server listening on 443.
  The web server instance has two listen sockets, 80 and 443.
  The web server instance must accept traffic on port 80 but re-direct it to 443 so all subsequent traffic with the client happens over HTTPS.
  HTTPS traffic for "www.mydomain.com/myapp/" must be reverse proxied to the internal app server, "https://myapp.mydomain.com/myapp/".
  -- Current set-up --
  The server reverse proxies both HTTP and HTTPS traffic with the indicated URI.
  How can I constrain the reverse proxying to HTTPS traffic?
  Thanks for your help,
  Jez

  Thanks Chris that worked perfectly.
  Aside
  Before your solution I had (unsuccessfully) tried the following obj.conf directive
  <Client security="false">
  NameTrans fn="redirect" from="/" url-prefix="https://www.mydomain.com/"
  </Client>However, it didn't work - is it not possible to use the <Client security="false"> in this manner?

• Redirecting Non-http traffic

  Gilles,
  we are running GSLB between two sites.
  Is it possible to do redirect non-http traffic(Ex- SFTP service) when there is a failure of the services at one site.
  Thanks in advance

  Gilles,
  Thanks for your response.
  As far as the option 2- could you please tell whether the mentioned configuration will work or do i need to make changes.
  Site A
  service remote_site_vip
  11.1.1.1
  keepalive type icmp
  active
  content 1
  vip address 10.1.1.1
  port 8443
  add service 1
  add service 2
  primarysorryserver remote_site_vip
  active
  ****GROUP***
  group redirect
  vip address 10.1.1.1
  add destination service remote_site_vip
  active
  Site B
  service remote_site_vip
  10.1.1.1
  keepalive type icmp
  active
  content 1
  vip address 11.1.1.1
  port 8443
  add service 1
  add service 2
  primarysorryserver remote_site_vip
  active
  ****GROUP***
  group redirect
  vip address 11.1.1.1
  add destination service remote_site_vip
  active
  Thanks in advance

• Redirecting WCCP to include HTTPS traffic

  I am working at a client site today.  The client uses a Cisco Cache engine in combination with the 4500 Core Switch/Router to redirect HTTP requests to the Cache Engine to either pull cached content, or send it out for fulfillment to the website being requested by the client.  they also use Websense for policy enforcment.  the Cache Engine sends to the Websense Server to either allow or deny.
  I think WCCP redericts port 80 only by defalut.  The configuration on the Core switch is as follows:
  Ip wccp web-cache.  Then there are "ip wccp redirect in" statements on each VLAN.
  The client today told me that he did not think that https requests were being handled, as he sees users whom have no Internet access priveleges use HTTPS and get to web sites.
  How can i configure WCCP in include 443 requests as well?
  thx
  Kevin

  Kevin,
  Here's a documentation link for ACNS that describes how to configure HTTPS redirection:
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/waas/acns/v55_13/configuration/local/guide/params.html#wp1366561
  Just above this in the same documentation it describes limitations:
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/waas/acns/v55_13/configuration/local/guide/params.html#wp1326190
  -Chip
  Please mark this as Answered if it answers your question.