Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP router ?

Hello !
I would like to use Cisco WSA as a web proxy in a transparent way (without any configuration in client's web browsers) but i don't have a WCCP router. So, is it possible ? 
If yes, how to do this ? 
Thank you,
Stephane Walker

Hi Stephane
The only alternative to WCCP is PBR (Policy Based Routing). With a simple configuration on the router you can redirect traffic defined as interesting by access list to WSA. On the WSA you need to configure transparent mode (Security Services -> Web Proxy -> Edit Settings -> Proxy Mode: Transparent). You also need to assure that proxy is listening on the port 80 and that HTTPS proxy is enabled (on port 443) if you want to redirect the HTTPS traffic as well. 
Sample configuration for Cisco router
access-list 110 permit tcp any any eq www
route-map proxy-redirect permit 10
match ip address 110
set ip next-hop xxx.xxx.xxx.xxx
interface ethernet0/1
ip policy route-map proxy-redirect
xxx.xxx.xxx.xxx is the proxy IP in such case and access-list 110 defines web traffic (HTTP TCP/80) as interesting.
The biggest disadvantage of such solution is lack of failure detection. If the proxy will go down for some reason router will keep redirecting the traffic causing internet access outage.
Routers other than Cisco equipment should also have an option to configure policy based routing.
/Artur
Ps. It's not possible to place the WSA in-line between clients and the internet.

Similar Messages

  • It is possible to use Verizon in travels to Asia, without paying exorbitant fees?

    Is it possible to continue service during travels to Asia, without paying exorbitant fees?  If so, what do I need to do in order to get set up?

        srkey,
    We're happy to assist with your travels to Asia.  What country will you be visiting?  You can view all of our global rates and information here; http://vz.to/17KseUf.  Let us know if you have any questions or need assistance setting any services up. Thanks!
    TrevorC_VZW
    Follow us on Twitter @VZWSupport

  • Using Clustered ASAs in Transparent mode to support VRF based Network ?

    Hi Guys,
    I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
    The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
    As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers)  I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).  
    I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
    So I need to clarify following with you guys.. 
    1) Can I actually do this or am I missing something.
    2) Are there any limitations that I might run in to with this setup
    3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
    4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
    Appreciate your input.
    Thanks
    Shamal 

    Is any expert out there who can answer my query ?. Much appreciated.

  • Possible to use Web Cache to map sites to URL?

    We've just installed Collaboration Suite 10g. We'd like to setup public URL's to point to different components of OCS. I've already configured our public URL's to point to the OCS Application Server, but I want to take it one step further and configure them to map directly to the specific component.
    Examples (Current Behavior):
    http://meeting.company.com:7778 maps to http://ocs.company.local:7778
    The behavior I want is:
    http://meeting.company.com:7778 mapped to http://ocs.company.local:7778/imtapp/app/prelogin.uix
    Is this possible?

    This should be possible:
    http://download-uk.oracle.com/docs/cd/B14099_17/caching.1012/b14046/intro.htm#i1041096
    You can also do it at HTTP Server level (redirect or rewrite) or with an index.html file that redirects the user.

  • Is it possible to use "english hijrah" on-the-fly without ALTER SESSION?

    SQL> alter session set nls_calendar='english hijrah';
    Session altered.
    SQL> select '29-02-1435', TO_DATE('29-02-1435', 'DD-MM-RRRR') from dual;
    '29-02-1435' TO_DATE('29-02-1435','DD-MM-RRRR')
    29-02-1435 29 Safar 1435
    Hi, the above shows that an input date of '29-02-1435' can be validated as a correct Hijrah date.
    However, is it possible to do such a TO_DATE(), or TO_CHAR() conversion without the overhead of an 'ALTER SESSION' at the start ?
    From within a Gregorian session I tried a few things like below, but they didn't work and give ORA-01756: quoted string not properly terminated
    select TO_CHAR('29-02-1435', 'nls_calendar="English Hijrah"', 'nls_date_format="DD-MM-RRRR")
    from dual;
    All we're needing to do is validate the date as valid Hijrah - no further processing is done.
    Many thanks for any help. Mark

    Sorry - I had been confusing single and double quotes.
    The following shows that it's a valid Arabic date
    SQL> select '29-02-1435', TO_DATE('29-02-1435', 'DD-MM-RRRR', 'nls_calendar=''English Hijrah''')
    2 from dual;
    '29-02-1435' TO_DATE('29-02-
    29-02-1435 02-JAN-14
    and for example if you put a crazy month, it complains
    SQL> select '29-02-1435', TO_DATE('29-92-1435', 'DD-MM-RRRR', 'nls_calendar=''English Hijrah''')
    2 from dual;
    select '29-02-1435', TO_DATE('29-92-1435', 'DD-MM-RRRR', 'nls_calendar=''English Hijrah''')
    ERROR at line 1:
    ORA-01843: not a valid month

  • Is it Possible to use Aep. Files in Pr without After effect on your PC?

    Hi i have a "minor" problem
    basicly i have made some text animation in After effect and set the comp to Template in the advance tab
    now it cant open on my clients computere becuase he does not have After effects on his PC
    Is there a way to use it in Premiere regardless of not having After effect on your PC?

    It all depends, in my opinion if you're making an applet to be used by Grandma signing
    is the best way to go since Grandma doesn't know how to change policy and if she
    knew (or asked her grandson) would not take the trouble to change it.
    If you are makning an applet for a company for example to be used for theire on-line
    courses signing is not the way to go. Since most companies have a system
    administrator that doesn't like just any applet asking the users the "do you trust" question.
    Because anyone can sign an applet. The default jre installation is for Grandma but in our
    company (and many others) a policy is set up that ignores signatures and will only allow
    extra privileges if this is specified in a policy.
    Now in the java.security you can add a policy, when you point that policy to a location on the Intranet
    users will use this polciy without beeing able to change it (themselves or by malicious software).
    In the .policy file you can provide a keystore so you can (if so needed) provide "signed by" policys.
    http://forum.java.sun.com/thread.jsp?forum=63&thread=524815
    second post and last post for the java class file
    http://forum.java.sun.com/thread.jsp?forum=63&thread=409341
    4th and 6th post

  • Is it possible to switch a IPAD on supervised mode without a MAC PC?

    Hi There!
    We are about to use iPads and IPods for a Point of Sale solution for a customer. I need to activate the supervised mode to use some of our SOTI MobiControl MDM features. Since I have no Mac available is it possible to activate the supervised mode with a Windows machine or on the device?
    Thanks for your help!

    Hi Johan,
    Unfortunately you can't. You need to use Apple Configurator which is only available for Mac OS X. You can't supervise a device with a Windows machine or on the device itself. Supervision ties management of the device to a specific computer and Apple has allowed MDM's to take advantage of some of the features that Configurator has. So far, Apple has only made the initial supervision process possible through Apple Configurator by wiping the device and adding the supervision profile to the device.
    I know its not the answer you want to hear, but I hope it answers your question.
    ~Joe

  • Is it possible to use ICS with a Cisco VPN client to allow pass through access for Domain login for a second machine.

    I have a current machine Windows 7 Pro with a Cisco VPN 3.5v client that currently connects with access to a customers network.
    They shipped a second machine Windows 8.1 Pro without adding local accounts, that is pre-joined to a sub-domain the first system has access to.
    Would it be possible to use the first machine as a ICS or Router to allow the second machine to see or access for log in, without returning to the customer site and plugging in for a log in point?
    Trying to save a 3 to 4 hr trip and lugging a system back for myself and the rest of the team.
    Thanks

    Hi,
    Please refer to this part
    http://windows.microsoft.com/en-hk/windows/using-internet-connection-sharing#1TC=windows-7
    ICS and VPN connections
    If you create a virtual private network (VPN) connection on your  host computer to a corporate network and then enable  ICS on that connection, all Internet traffic is routed to the corporate network and all of the computers on your home network
    can access the corporate network. If you don't enable ICS on the VPN connection, other computers won't have access to the Internet or corporate network while the VPN connection is active on the host computer
    Yolanda Zhu
    TechNet Community Support

  • Is it possible to enable Web Cache gzip compression for 9iAS Disco Viewer?

    Hi,
    Sorry for repeating this question. But it's very urgent and we don't have any idea yet how to solve / work around it:
    To keep it short: Is it possible to use Web Cache gzip compression for pages rendered by 9iAS Discoverer Viewer???
    Our scenario: We have some Discoverer Worksheets which we want to access by ISDN dial in (64 kbit/sec). An average page needs 2 minutes only for sending the html/javascript output rendered by Disco Viewer to the client browser.
    To speed up the response time when users use this slow connection, we want to activate Web Cache gzip compression.
    The problem: But even when we enable Web Cache for Discoverer (configuration.xml and Web Cache rules), Web Cache doesn't compress pages generated by Discoverer Viewer. We found out that the generated responses contain the "content-disposition" HTTP-Header entry. Are we correct that this is the reason why there is no gzip compression? AND DOES ANYONE KNOW A WORKAROUND (p.e. configure Disco not to add the content-disposition http header)???
    Best regards,
    Matthias Scherer

    Matthias,
    Have you raised this as a TAR with Oracle Support? If you've got a specific question, and you need a definitive answer, raising a TAR is the best way to proceed.
    regards
    Mark Rittman

  • Is it possible to enable Web Cache gzip compression with 9iAS Disco Viewer?

    Hi,
    Sorry for repeating this question. But it's very urgent and we don't have any idea yet how to solve / work around it:
    To keep it short: Is it possible to use Web Cache gzip compression for pages rendered by 9iAS Discoverer Viewer???
    Our scenario: We have some Discoverer Worksheets which we want to access by ISDN dial in (64 kbit/sec). An average page needs 2 minutes only for sending the html/javascript output rendered by Disco Viewer to the client browser.
    To speed up the response time when users use this slow connection, we want to activate Web Cache gzip compression.
    The problem: But even when we enable Web Cache for Discoverer (configuration.xml and Web Cache rules), Web Cache doesn't compress pages generated by Discoverer Viewer. We found out that the generated responses contain the "content-disposition" HTTP-Header entry. Are we correct that this is the reason why there is no gzip compression? AND DOES ANYONE KNOW A WORKAROUND (p.e. configure Disco not to add the content-disposition http header)???
    Best regards,
    Matthias Scherer

    When you set the caching rules, you can also specify whether or not you want the pages to be compressed. Web Cache compresses html pages and relies on the accept-encoding: gzip from the client header to determine whether or not to send the content compressed.

  • Steps to enable Web Proxy for https

    I have an S160 WSA and want to enable the Web service for http and https. I am using transparent mode with WCCP.
    This is part of the router configuration:
    ACL:
    access-list 110 permit tcp 192.168.80.0 0.0.7.255 any eq 80
    access-list 120 permit tcp 192.168.80.0 0.0.7.255 any eq 443
    ip wccp 97 redirect-list 110
    ip wccp 98 redirect-list 120
    interface FastEthernet0/0.380
    ip wccp 97 redirect in
    ip wccp 98 redirect in
    It is the same configuration for http and for https, but only http traffic is working. When I see the logs in the WSA, it looks like accepted connections for https.
    In Security Services -> Web Proxy it is enabled, when I put the port 443, I get an https error in the end user laptop; when I dont, it keeps trying and I get a timeout.
    I tried enabling https proxy but some sites (as gmail), wont work with self-generated certificates.
    Would you please, list me the steps to enable Proxy services for https.
    Thanks!!!
    Sergio L.

    Hi Sergio,
    When WSA is configured as transparent proxy, it also accepts explitcit connections. So in order to test HTTPS proxy, you can configure client browser to explicitly use WSA as proxy and see if it is working before testing in transparent mode.
    When WSA is used as HTTPS proxy, it uses its self-generated certificate to encrypt the connection between itself and the client browser. Since this certificate is not trusted by browser, it'll throw SSL certificate error when connecting via WSA. In order to get rid of this error, download the self-generated certificate from WSA and install it in your browser as a trusted certificate. That should resolve SSL issue with gmail also.
    Hope this helps.
    Thanks,
    Chetan

  • Purchase order replication – extended classic scenario using XML proxy via PI

    Hi Experts
    Question:
    In case of extended classic deployment is it possible to use XML proxy to
    transfer SRM purchase orders to ECC? As we know as of SRM 7.01 its via RFC
    whether SRM 7.02 onwards does SAP support XML for ECS too?
    Has
    anyone read about this in any of the SAP forums?
    Background: In our project, client have invested
    heavily on XI and XI monitoring and troubleshooting, integrated to SAP SOLMAN.
    And would like to opt for XML mode of transfer and reuse existing solution.
    This is the main reason we would like to be very clear in our understanding
    before we go back to client.
    We appreciate your time and support.
    Regards
    Prashanth

    Dear Rahul,
    Thanks for you input
    Let me give you an example of the behaviour:
    in PPOMA_BBP TOG assigned to user has : DQ with $1000 and upper percentage 5%.
    User orders a PO  with quantity=1000, price $100;
    No additional tolerances assigned in the PO itself
    User tries to enter confirmation with quantity 1001 (so qty variance converted to currency amount results in $100 over delivery) So the confirmation is under both the 5% and the $1000 limit.
    In that case I donu2019t receive an error message from the SRM, but the error message u201CBackend Purchase Order quantity exceeded by 1 EAu201D from ECC still prevents me from posting the Confirmation. And this is the problem I havenu2019t been able to solve so far.
    So I want the TOG tolerance to be used. And I am also happy with the absolute limit always having priority over percentage limit...
    But I am trying to find a way to get rid of the back end message (with assigning a tolerance to the PO itself as the will get rid of the absolute limit see my previous post.)
    Cheers
    Ulrike

  • How to use a proxy with java applications?

    I have a nokia 6300 type s40v3
    hello,
    I would like to know if it is possible to use a proxy of any and how ? kind with java applications.
    thank you

    Well, it works well when, into my applet, i do somethig like this:
    URL url = new URL(host);
    URLConnection connexion = url.openConnection();My applet uses proxy setting from IE6 but only if i use Java 1.4.2_08.
    With IE6 and Java 1.5.04, it doesn't work (my applet doesn't use proxy settings)
    With Firefox and Java 1.5.04, it's ok
    Have you already seen a problem like this with Java 1.5.04 ?

  • Basic Authentication SSO, Web proxy, Rewriter issue

    I have iPS 3.0 SP4.
    I have configured the Gateway to do single signon for HTTP Basic Authentication. My external application also requires a web proxy to connect, so I added the proxy to the "DNS Domain and Subdomains" list. My "Rewrite all URLs Enabled" is not checked.
    I added a link to the external application in the Bookmark channel. When I click on the link, a new browser window is launched, SSO happened (verified from iwtGateway log), but the contents kept going back to the Portal Desktop instead of the external aplication.
    I found out that the external application is using the URL location information of the browser to extract the protocol, host and port info to construct the target page using JavaScript. By the Gateway rewriting the URL, the JavaScript is incorrectly using the Gateway host and port, instead of the application host and port.
    How do I setup the Gateway to do Basic Auth SSO, use a web proxy to fetch the content, but do NOT do URL rewriting? Our users have access to the application directly, so we do not need to run the app behind the Gateway. But I need to use the Gateway to to the SSO. Also, since the "DNS Domain and Subdomains" list is used for both proxy definition and rewriting, how do I make them mutually exclusive - i.e. want to use web proxy but do not want rewriting?
    Can you also suggest other ways of doing Basic Authentication SSO without using the Gateway? I have seen some discussions on using the Authenticator class and a separate Servlet. Please post me an example.
    Thanks.

    Yes, I have already tried the option you suggested. I had previously created a JSP channel that has a link invoking my servlet. This servlet, reads the user profile from an external LDAP and sends the Authorization header on a URLConnection object, just like you described it.
    However, I cannot just simply render the returned content on the InputStream of the URLConnection. The browser/client is actually connected to the servlet - so presenting the images and links directly will be relative to the servlet machine, not the external app. So the images and links do not work.
    If I do a request.sendRedirect(...), the external application will ask for the auth header again. The browser has not captured the auth header that was sent earlier by the servlet.
    How do you tell the browser to keep the auth header for all subsequent request? Is the Gateway SSO approach telling the browser to keep sending the auth header, or is the Gateway programmatically adding the auth header for each request?

  • Problem on Setting up a Reverse Proxy on Web Proxy Server 4.0.1

    After you setup a reverse proxy using Web Proxy Server 4.0.1, if you get the following error --
    Proxy denies fulfilling the request
    Your client is not allowed to access the requested object.You probably forget to add a regular mapping from: / to: http://http.site.com/. The information provided in 4.0.1 Administration guide is misleading. You will have to add it NOW manually. (Note: in 3.6 it will be added automaticly)
    You will have to do the following step manually, what provided in the manual is misleading --
    Sun Java� System Web Proxy Server 4 .0.1 Administration Guide 2005Q4
    Chapter 14 Using a Reverse Proxy
    "Setting up a Reverse Proxy"
    5. To make the change, click OK.
    Once you click the OK button, the proxy server adds one or more additional
    mappings. To see the mappings, click the link called View/Edit Mappings.
    Additional mappings would be in the following format:
    from: /
    to: http://http.site.com/

    thanks, will verify and update the docs.
    rahul.

Maybe you are looking for