Can a WLC redirect HTTPS traffic in a CWA environment
Hi Guys.
Regarding with ISE, CWA and WLC, I 'm seeing that when you connect to the SSID and open your navigator, if the URL is an HTTPS URL the traffic is not redirected to the ISE Portal using CWA. I though that the WebAuth Proxy Redirection Port option of the WLC only works when It has the portal (LWA) but not in CWA.
I only found information about the redirection of the traffic when is a HTTP connection (port 80).
Is it possible to redirect HTTPS traffic in a CWA deployment??, most of my users use Google Chrome and, in some scenarios, any search using Gooogle is in HTTPS mode and the captive portal is not shown.
Thanks.
Best regards.
No, the WLC is not able to redirect HTTPS pages.
You can however add other ports(other than 80) that can be redirected incase of proxy etc.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered
Similar Messages
-
How to redirect https traffic to captive portal?
Any WLC controller model (8500/5508/2504/vWLC) version 7.3 and up..
This is unusual scenario wherein clients have a default homepage to https://www.google.com (sample only)
Typical http web redirection don't have any problem at all. When you open your browser and type http://www.google.com it will redirect to captive portal without any problem.
Is there any way to redirect https traffic to captive portal as well?redirection only happen on http traffic, a feature request has been issued to have the redirection happen on https.
please check the following
CSCar04580
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCar04580
Please make sure to rate correct answers -
Is it possible to redirect https traffic to http in CSM?
Hello,
I have a requirement to redirect https traffic to http. Is it possible to do that in the CSM?
In the CSM documentation all redirect examples/config etc refer only to http traffic so I am wondering if the other way around is supported as well.
BTW I have already tried it on the CSM and it is not working. Everytime I try to reach the https url I get "ERROR_INTERNET_SECURITY_CHANNEL_ERROR" on http watch.
Thanks for any help offered.
MurtazaI don't have a config in hands for this.
I have done it before and know this is feasible.
The redirect is here :
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00802877f6.shtml
Just change the vip to be only accessible by the SSLM.
Create the appropriate redirect vserver.
On the SSLM, send the decrypted traffic to the vip address and port.
Just as if the Vip was a server.
Gilles. -
ISE Guest Portal only redirect HTTPS traffic.
I have a wireless deployment consisting of the following:
5760 WLC & ISE 1.2
Am I missing something here
I have 4 similar deployments, and never had these issues:
On Android / Apple devices, the guest portal does not pop up automatically &
On a Windows Laptop only https traffic directs to the guest portal.
Thanxi think you need to recheck the configuration also check the link for step by step config
http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html -
SG300 Redirect HTTP Traffic to Proxy
Dear Cisco Community,
We have the following setup
1 x SG300 Switch in Layer 3 Mode
VLAN 100 (Management VLAN)
VLAN 200 (Data VLAN for Internet Users)
The SG300 has an IP4 Interface in each VLAN:
100: 10.1.1.254 / 24
200: 10.1.2.254 / 24
The internet gateway (Zyxel USG-100) is located in VLAN 100.
In order to restrict the web browsing acitivites, we're in the process of implementing a Proxy server (GFI Webmonitor). Is it possible, to redirect all HTTP and HTTPS traffic which arrives at the SG300's VLAN200 IP interface to the proxy server? I was thinking of a static route, but then this would apply to all traffic. Another option would be to block port 80/443 traffic using an ACL I suppose=
Any input will be highly appreciated, thank you!
Kind regards,
RomeoHi Mohamad,
I've seen this done in slightly different ways. One way is at the very bottom of the following examples from the Cisco.com CSM-S config guide:
CSM-S Configuration Examples
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/cfgxpls.html
Another way is like this:
serverfarm REDIRECT
nat server
no nat client
redirect-vserver REDIRECT
webhost relocation https://www.example.com/
inservice
serverfarm SSL_DC
no nat server
no nat client
real 192.168.78.36 local
inservice
vserver VSERVER_80
virtual 192.168.78.35 tcp 80
serverfarm REDIRECT
persistent rebalance
inservice
vserver VSERVER_443
virtual 192.168.78.35 tcp 443
serverfarm SSL_DC
persistent rebalance
inservice
Hope this helps get you started.
Sean -
Redirecting http traffic to the proxy server
Hi,
We have a requirement to divert web traffic to blue coat proxy through firewall. Below is the setup
Requirement:
We need to divert web traffic from 10.20.200.0/23 [DMZ-STAFFNET] and point it to Bluecoat proxy to process the packets.
Now that ASA doesn't support PBR to accomplish this, how can we accomplish this ?Hi,
To list one limitation that you might see in your scenario , You would only be able to redirect the subnets to the proxy from those subnets which are physically behind the interface where the WCCP server resides only. i.e. UNTRUST
Now , talking about the NAT , why don't you try this NAT if you don't want to NAT the Source part of the Traffic:-
(DMZ-STAFFNET) to (bluecoat) source static DMZ-STAFFNET DMZ-STAFFNET destination static internet proxy-server service original-http proxy-8080
Also , ASA now supports Policy Based routing from ASA 9.4.1 :)
Thanks and Regards,
Vibhor Amrodia -
Redirect HTTPS traffic to HTTP in Tomcat
Hi,
We are running SAP BI Platform 4.0 SP2 Patch 7, which runs on top of Tomcat 6.
We have succesfully configured our iPads to connect to our SAP BusinessObjects server using HTTPS in internet. We have an application proxy that handles HTTPS and sends plain HTTP to the SAP BusinessObjects server.
The problem is that same connection do not work when users are accessing our intranet, because the SAP BusinessObjects server only accepts HTTP requests in port 8080.
I have seen that Tomcat allows automatic redirections from HTTP to HTTPS ( using redirecPort parameter in HTTP connector definition ).
But is it possible the opposite, to switch automatically HTTPS to HTTP ?
Regards,
JoanHi,
At last we have activated HTTPS support in Tomcat. The idea was to avoid HTTPS in BOBJ servers to save CPU usage but after some tests we can afford it.
So no redirections are needed and the question is solved.
Thanks,
Joan -
I have two web servers, web1 and web2. I would like to set up the two web servers in such a way that some requests are answered by web1. Anything else will be redirected to web2.
Does anyone know how to set it up in iPlanet?Hi,
This can't be done with iWS (like some requests are answered by web1 and some by web2).
Probably if a loadbalancer has this feature, this is possible.
So kindly check out if any 3rd party load balancer has got this feature.
Thanks,
Daks. -
WCCP V2 Question (Redirect https)
Hello all
I have been successful in implementing wccp in my multiple vlan environment.
Router is Cisco 2921
G0/0 - Internet
G0/1 - Squid Proxy
G0/2 - Clients in multiple vlans
Here is the config:
ip wccp web-cache redirect-list 120
interface GigabitEthernet0/2.1
encapsulation dot1Q 3
ip address 172.16.1.1 255.255.255.0
ip wccp web-cache redirect in
ip nat inside
interface GigabitEthernet0/2.2
encapsulation dot1Q 2
ip address 172.16.2.1 255.255.255.0
ip wccp web-cache redirect in
ip nat inside
interface GigabitEthernet0/2.3
encapsulation dot1Q 3
ip address 172.16.3.1 255.255.255.0
ip wccp web-cache redirect in
ip nat inside
access-list 120 remark REDIRECTION_CRITERIA
access-list 120 deny ip host 192.168.1.2 any
access-list 120 permit tcp 172.16.1.0 0.0.0.255 any eq www
access-list 120 permit tcp 172.16.2.0 0.0.0.255 any eq www
access-list 120 permit tcp 172.16.3.0 0.0.0.255 any eq www
access-list 120 deny ip any any
I have some questions:
1) In the command "ip wccp web-cache redirect-list 120", "redirect-list 120" is not required since all vlans are clients.
using ip wccp web-cache redirect in under all subinterfaces alone would work.
Am I correct ?
2) How can I redirect HTTPS traffic to my squid proxy.Hello,
1. "ip wccp web-cache redirect in"
It would work if you squid proxy have another default gateway to internet.
Otherwise the traffic from the SQUID is also forwarded. You have to use different interfaces for users and squid. On sabinterfeyse vlan SQUID you should not use a configuration wccp
2. Web-cache permit only http. You must configuring Dynamic WCCP.
some example:
in global:
ip wccp 120 redirect-list 120
access-list 120 remark REDIRECTION_CRITERIA
access-list 120 deny ip host 192.168.1.2 any
access-list 120 permit tcp 172.16.1.0 0.0.0.255 any eq www
access-list 120 permit tcp 172.16.1.0 0.0.0.255 any eq 443
access-list 120 permit tcp 172.16.2.0 0.0.0.255 any eq www
access-list 120 permit tcp 172.16.2.0 0.0.0.255 any eq 443
access-list 120 permit tcp 172.16.3.0 0.0.0.255 any eq www
access-list 120 permit tcp 172.16.3.0 0.0.0.255 any eq 443
access-list 120 deny ip any any
on interface:
ip wccp 120 redirect in
See link below for more information
http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/12-4t/iap-wccp.html#GUID-5E9AE273-1AFD-4598-9325-85F8C822D168
Best regards -
WLC - Redirect Traffic to Web Proxy
Hi,
We need to create Guest WLAN on WLC 5508 which will be used for internet access only.
My questions are:
1. Is it possible to use our external web proxy server to authenticate users?
2. Can we also forward all traffic to the external web proxy to filter the websites that can be accessed (without configuring it on the browser)?
3. Can this be achieved using the L3 webauth?
Our topology:
WLC -- Switch -- ASA Firewall -- Internet -- External Web Proxy
We are using WLC as DHCP server for Guest WLAN with ASA Firewall as the gateway.
Any inputs and ideas are appreciated.
Many thanks.Otiynomed,
I have come across this problem recently as well and ended up using an Internal DHCP server with Option 252 configured which will point Users towards our proxy for authentication. Unfortunately it isn't a perfect setup as the following issues occurred:
If using Option 252, make sure the wpad file has an internal re-direction for the virtual interface of your anchor controller to allow web-auth redirection otherwise devices will try to get to that address externally
Some devices don't support Option 252
You have to set the devices to 'auto proxy discover' whether Windows or Apple
If using devices running less than iOS 6 then embedding authentication in the proxy settings upon initial connection will still end up with users being prompted for HTTPS authentication constantly. HTTP traffic will work fine however.
Android devices don't like Option 252 and most of the applications don't work with authentication via a proxy except browsing
Alternatively, use web-auth but link it to an LDAP server or RADIUS server for authentication and use a transparent proxy. Problem solved -
Hello,
I'm running Server 3.1.2 on OSX10.9, I was wondering if there was a way to send all traffic to http versions of webpages and not allow https?
I'm working at a school and our current content filter only works with http and doesn't filter https.
Sorry if I'm not clear, I'm new at this whole sysadmin thing.Hi,
You can do that with .htaccess or php
Here a link https://sites.google.com/site/onlyvalidation/page/301-redirect-https-to-http-on- apache-server
A+ -
Redirect / Block non https traffic
I have a quick question. Today I setup teaming 2.0 on SLES10.
After customizing the SuSE firewall per the instructions everything is perfect. I then cut off non-secure port 80 traffic. Looked OK. I found that the email that teaming sends out is http://server, since I killed http traffic it's now broken. I tried changing the firewall rule to FW_REDIRECT="0/0,10.0.100.100,tcp,80,8443 to see if it would just redirect the port 80 traffic to 8443 on the server - but that did not work. Is their a place I can simply change the email to link to https://server?
Any other thoughts?
Cool product by the way!
Tha
DennisDennis,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
Redirecting all HTTP traffic to HTTPS that will reverse proxy specific URI
-- Requirement --
I have a Sun web server 6.1 SP4 that sits in a DMZ that must securely reverse proxy traffic to an internal application server listening on 443.
The web server instance has two listen sockets, 80 and 443.
The web server instance must accept traffic on port 80 but re-direct it to 443 so all subsequent traffic with the client happens over HTTPS.
HTTPS traffic for "www.mydomain.com/myapp/" must be reverse proxied to the internal app server, "https://myapp.mydomain.com/myapp/".
-- Current set-up --
The server reverse proxies both HTTP and HTTPS traffic with the indicated URI.
How can I constrain the reverse proxying to HTTPS traffic?
Thanks for your help,
JezThanks Chris that worked perfectly.
Aside
Before your solution I had (unsuccessfully) tried the following obj.conf directive
<Client security="false">
NameTrans fn="redirect" from="/" url-prefix="https://www.mydomain.com/"
</Client>However, it didn't work - is it not possible to use the <Client security="false"> in this manner? -
Gilles,
we are running GSLB between two sites.
Is it possible to do redirect non-http traffic(Ex- SFTP service) when there is a failure of the services at one site.
Thanks in advanceGilles,
Thanks for your response.
As far as the option 2- could you please tell whether the mentioned configuration will work or do i need to make changes.
Site A
service remote_site_vip
11.1.1.1
keepalive type icmp
active
content 1
vip address 10.1.1.1
port 8443
add service 1
add service 2
primarysorryserver remote_site_vip
active
****GROUP***
group redirect
vip address 10.1.1.1
add destination service remote_site_vip
active
Site B
service remote_site_vip
10.1.1.1
keepalive type icmp
active
content 1
vip address 11.1.1.1
port 8443
add service 1
add service 2
primarysorryserver remote_site_vip
active
****GROUP***
group redirect
vip address 11.1.1.1
add destination service remote_site_vip
active
Thanks in advance -
Redirecting WCCP to include HTTPS traffic
I am working at a client site today. The client uses a Cisco Cache engine in combination with the 4500 Core Switch/Router to redirect HTTP requests to the Cache Engine to either pull cached content, or send it out for fulfillment to the website being requested by the client. they also use Websense for policy enforcment. the Cache Engine sends to the Websense Server to either allow or deny.
I think WCCP redericts port 80 only by defalut. The configuration on the Core switch is as follows:
Ip wccp web-cache. Then there are "ip wccp redirect in" statements on each VLAN.
The client today told me that he did not think that https requests were being handled, as he sees users whom have no Internet access priveleges use HTTPS and get to web sites.
How can i configure WCCP in include 443 requests as well?
thx
KevinKevin,
Here's a documentation link for ACNS that describes how to configure HTTPS redirection:
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/waas/acns/v55_13/configuration/local/guide/params.html#wp1366561
Just above this in the same documentation it describes limitations:
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/waas/acns/v55_13/configuration/local/guide/params.html#wp1326190
-Chip
Please mark this as Answered if it answers your question.
Maybe you are looking for
-
ITunes Home Movies Library working, but INCONVENIENT
I'm on iTunes 12.0.1.26, and up to date on all my Mac OS software. I collect still photos from the web, and hold them in topical folders. From time to time, I use Graphic Converter to "Export Slide Show to Movie", which does an acceptable job of pr
-
Problem in opening downloaded mp3 from whatsapp and other apps!??.
if I download an mp3 file, I can't see it in the music the red icon? using iPhone 5s gold
-
Should I keep Events and Projects after Exporting my edits?
When I finish editing a video I export it, usually at Large 960x540, or sometimes HD, (even though my camera doesn't do HD) to my hard drive. I make a fair few movies, and often need to burn them to disc/dvd, which I can then do by going back into iM
-
Around 10/10/08 I began experiencing this problem where my computer will randomly reboot itself, while using the internet. As long as the wireless network adapter is unplugged, there is no problem. This is also happening to my roomate's computer who
-
Hey all, I'm posting because there's something massi'vely wrong with my Creative Zen Xtra 60GB. Here's what happened; I was transferring files from the player to my external hard dri've in order to make room - about a gig and a half, it was. Somewher