Cookie persistence for HTTP traffic

Similar Messages

• ACE - Load Balance insert cookie method for https

  I am trying to load balance between 2 web servers using the cookie insert method by ACE for achieving the session persistence. The servers are not inserting any cookie. It works fine for the http connections but when trying with https connection it is not working.
  Can anyone help me with this please.
  Is it that ACE cookie insert method of session persistence will not work with https connections.

  Hi,
  1. for https you can use src ip as sticky (mega proxy problem).
  2. you can terminate ssl connection on ace (ssl between client and ace only, between ace and server it's clear) and you can use any L7 sticky (for example cookie)
  3. if you need ssl terminate up to real server, you can first terminate ssl between client and ace on ace, then use L7 sticky and after then terminate second ssl to real server.
  in other words, if you don't decrypt ssl on ace, you can use only L2/3 data for sticky (or ssl id for ssl v2.0)
  martin

• QoS value for http traffic from IP Phone

  Since the phone marks all voice with COS 5 and data traffic with COS 0. Does this also include traffic sourced from the IP Phone http? request when doing Directory Lookups, IP Phone Services.
  Thanks!

  With 4.1 and up (not sure if 4.0 had this), this traffic is marked with TOS 3 or DSCP CS3 (24). You can modify this enterprise parameter to what ever you want.
  DSCP for SCCP Phone-based Services :
  This parameter specifies the Differentiated Service Code Point (DSCP) IP classification for IP phone services on SCCP-based phones, including any HTTP traffic. Note: You must restart SCCP-based phones for this parameter change to take effect.
  This is a required field.
  Default: default DSCP (000000).
  Restart SCCP-based phones for the parameter change to take effect.
  HTH
  Sankar
  PS: please remember to rate posts!

• Kerberos encryption for HTTP traffic

  Hello
  I am writing client for WinRM service(Windows Vista). This service use SOAP protocol for communication.
  And I cannot make subscription for Windows events using Push method.
  The issue is when I try to make events subscription - Vista tries to test connection with my server, but I don't know what should I send back for test connection request to Vista WinRM... :(
  I didn't find it in MSDN.
  Subscription request is:
  <?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:ew="http://www.example.com/warnings'" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:x="http://www.w3.org/2001/XMLSchema">
  <env:Header>
  <a:To s:mustUnderstand="true">HTTP://winrmcient:80/wsman/</a:To>
  <w:ResourceURI>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</w:ResourceURI>
  <a:Action s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/eventing/Subscribe</a:Action>
  <a:MessageID s:mustUnderstand="true">uuid:a4b86ede-32d0-4a28-91f5-bc8f36bfca22</a:MessageID>
  <a:ReplyTo>
  <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
  </a:ReplyTo>
  <w:MaxEnvelopeSize>262144</w:MaxEnvelopeSize>
  <w:Locale xml:lang="en-US"/>
  <w:OperationTimeout>PT5M0.000S</w:OperationTimeout>
  <w:OptionSet>
  <w:Option Name="ReadExistingEvents" mustComply="false"/>
  <w:Option Name="ContentFormat">RenderedText</w:Option>
  </w:OptionSet>
  </env:Header>
  <env:Body>
  <e:Subscribe>
  <e:Delivery e:Mode="http://schemas.xmlsoap.org/ws/2004/08/eventing/DeliveryModes/Push">
  <e:NotifyTo>
  <a:Address>http://Antares:443</a:Address>
  </e:NotifyTo>
  </e:Delivery>
  <e:Expires>PT12H0M0.000S</e:Expires>
  <w:Filter>
  <QueryList>
  <Query Path="Security">
  <Select>*</Select>
  </Query>
  <Query Path="System">
  <Select>*</Select>
  </Query>
  <Query Path="Application">
  <Select>*</Select>
  </Query>
  </QueryList>
  </w:Filter>
  <w:SendBookmarks/>
  </e:Subscribe>
  </env:Body>
  </env:Envelope>
  WinRM connection test request is request with empty content length and with header:
  Host=[Antares:443], Content-type=[application/soap+xml;charset=UTF-16], Content-length=[0], Connection=[Keep-Alive], Authorization=[Kerberos YIIE4wYJKoZIhvcSAQICAQBuggTSMIIEzqADAgEFoQMCAQ6iBwMFACAAAACjggOLYYIDhzCCA4OgAwIBBaEKGwhCUS5MT0NBTKIaMBigAwIBAqERMA8bBEhUVFAbB0FudGFyZXOjggNSMIIDTqADAgEXoQMCAQ2iggNABIIDPHstoHWBhepDeU/h3o6Uuzjtgxo5SlVRVaa9JjAUcEDb4k+DKQrtwia/GtvDsmoZ4VgE8gGpJmcuZHNUEBHwEmn48RAAuo/f3o/D7hBJ3XygexN8yPZFYtElT1CvtoVOuvox83xOr9TdUn+Dd12/AupkAIxwbdHNhftcOCajJOv3NnFGoeF5+NA54VguaW1XGZxoC1mviITkfeDW0rZnKQ3aJxRDG0kKfHvWYdIlifRydQkTY/XMGHBFvd8kA8Q3M6WYVmuCKLjjJwvHjfZ56GWUpax7MlYmOGs7ncHLptCyxiV7RTiP0c00MViangq4CoioLyPwdysG7V8oyMGcc32WpsWCbXJNm5N8ijy7JxRd4W2zfzL6rpkGFQ2F0AfsH/b+Dz45sYXKyEgJajA5TK/cPiECTIMbXnkehz2yC5mjY4XalhXf4U1j/D5E2ApbG0ITUrp10a6C/dy5yEtc4CNtVHDQ30BrdZS+vxO2PwwIKZovvvlzIyddgOqyKaKhs9i3eMfF61IjhUpquK4zZYYZEqpQtkgSaDz8rurD4M5Z1CzzlID5nlVg9YsA9JhPejsdU9Rmt51OjCu8rBvd+Kb7AMkujDogOli4NVNKssdLOJl7m3ulMQTs5AFT1O7YOW4SQsos1g2UEW+JzE+sj1IGdia8xmjxuZOsWks4QgX9O0PL3LNVE/iGgR2dOQhRzhuwEJEUfHpy1BIqZzbG48KkkNxFZLgeM+ztnrssw/zaD1vTs4+EF7KPVp1ldBwPId2P6PIyd4nyX+1tJt2SYHKyk0mdxkCw8pTAfrNxJGj9Ku573YcPfFdGhTtTTzo1CJPwSQFoNlEhh7wriaED/fseIEPPLASR+wIzGVPNBb5mTCd/vCPrwsShZl0wmtwUiDgNAu2732GVb7MDSKIc/hOjZAdFqoh3KzvWUSIsdrl1Mezcjb6VSuM87f4pWaR7f0RMexNB6ZEL0RzncbMXyhmUcqNaVyCWCgWN/ovKmWt53FkBQZkZIxLZUVyi6As3bhsfVxrw6dU4oKpHesDKldHFOz1fuEv8UKu6s7DaAd1VXiLmU4uzUSfiYH0iQCYkvf1sVqKBVyrFXHHQTKSCASgwggEkoAMCAReiggEbBIIBF2DcdvxWBV/D29hIBpQ8sJk8XF+q9tVNBHm3bFXtetxKwk1UxO64r7U5YQ4kqgvAyKTq/aL9V/QrO5x1M0mbqjKrfo/ehKGy5GGUZeQ0TYhkkmdNq8Mxo2CR5IIWqzEIaB00qSkombg/3IvniUoKbHfvoGMdr63DqRr8AbmXzHK+9kfyYMkkSMn72spoPBYadYAJZ02VUJp5fdNIqsMTREfEf3qfJNdvzaCRN/BcHVJ0C/5TChf8gFMThZzHShr2j1OdWBEZ/uLsMl2INqW0/AcCfLopSTcwgip/E63Zz/mKFCq2VIPp1++KvWPUKPalzdK9Pg/AwzXM6/+SBXdWfkUJGUW9x2nHFuZ6IeoAlhS2hvNLcjJ2ww==], User-agent=[Microsoft WinRM Client]
  I tried to send empty response(with the same test request header) for test request but it doesn't take any effect.
  WinRM subscription response is:
  <?xml version="1.0" encoding="UTF-8"?>
  <s:Envelope xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xml:lang="en-US">
  <s:Header>
  <a:Action>http://schemas.xmlsoap.org/ws/2004/08/eventing/fault</a:Action>
  <a:MessageID>uuid:B83898C7-9F93-4E7A-8C8C-B72C7D189908</a:MessageID>
  <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
  <a:RelatesTo>uuid:a4b86ede-32d0-4a28-91f5-bc8f36bfca22</a:RelatesTo>
  </s:Header>
  <s:Body>
  <s:Fault>
  <env:Code xmlns:env="http://www.w3.org/2003/05/soap-envelope">
  <s:Value>s:Sender</s:Value>
  <s:Subcode>
  <s:Value>e:EventSourceUnableToProcess</s:Value>
  </s:Subcode>
  </env:Code>
  <env:Reason xmlns:env="http://www.w3.org/2003/05/soap-envelope">
  <s:Text xml:lang="en-US">The connectivity test from the push subscription source to the client failed. This can happen if the client machine initiating the push subscription is unreachable from the server machine where the event source is located. Possible reasons include firewall or some other network boundary. Modify subscription to use Pull based subscription. </s:Text>
  </env:Reason>
  <s:Detail>
  <w:FaultDetail>http://schemas.dmtf.org/wbem/wsman/1/wsman/faultDetail/UnusableAddress</w:FaultDetail>
  <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858901" Machine="">
  <f:Message>The connectivity test from the push subscription source to the client failed. This can happen if the client machine initiating the push subscription is unreachable from the server machine where the event source is located. Possible reasons include firewall or some other network boundary. Modify subscription to use Pull based subscription. </f:Message>
  </f:WSManFault>
  </s:Detail>
  </s:Fault>
  </s:Body>
  </s:Envelope>
  In WinRM documentation I see:
  +Note: HTTP traffic by default only allows messages encrypted with
  the Negotiate or Kerberos SSP.+
  But I use simple java HttpConnection and there are no any references to Kerberos in JavaDoc for this class... :(
  One more - I use BASIC authentication.
  Does anybody know what should I send back for connection test request.

  Sorry, I forgot to set "java.security.krb5.conf" and "java.security.auth.login.config" properties.
  But after I set these properties I've got another exception:
  GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:87)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
       at sun.security.jgss.spnego.SpNegoMechFactory.getCredentialElement(SpNegoMechFactory.java:109)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
       at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:42)
       at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:139)
       at com.symantec.cas.ucf.sensors.ws_management.WSServer.start(WSServer.java:132)
  Caused by: javax.security.auth.login.LoginException: No LoginModules configured for
       at javax.security.auth.login.LoginContext.init(LoginContext.java:256)
       at javax.security.auth.login.LoginContext.<init>(LoginContext.java:499)
       at sun.security.jgss.GSSUtil.login(GSSUtil.java:244)
       at sun.security.jgss.krb5.Krb5Util.getKeys(Krb5Util.java:185)
       at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:82)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:79)
       ... 28 more
  But it seems to me that I've set login module correctly:
  com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=false useTicketCache=false;
  May be I missed something...
  What do yo think about it ?

• WSA access logging for HTTPS traffic

  Hi,
  We have a WSA s370 with AsyncOS  version 7.5.1-079 and it is configured as a transparent proxy.
  HTTPS proxy is enabled and all the URL categories set to pass through ( no decrytpting or monitoring ).
  Seems like the WSA does not generate logs for HTTPS transactions.
  I would like to know whether this is the expected behaviour.
  Is there any way that I can monitor HTTPS transactions without decrypting ?
  Thanks,
  Wipula.

  In addition to what Ken mentioned, the only way you can monitor HTTPS traffic without decrypting it will be done so using the IP address.
  In the access logs, you will see the following transaction when accessing an HTTPS site (google for example):
  TCP_CONNECT 74.125.101.50
  It will only report URLs once decrypted.  At that point, it is just HTTP.
  -Vance

• Multiple HTTP Servers, 1 for HTTP and other for HTTPS

  I am trying to install 9ias 1.0.2.2.2 on 2 machines both running solaris. 1st machine hosts the database (8.1.7.4) and the other hosts the App server (9ias), what i am tryin to achive is have 2 listeneres. One for HTTP traffic and other for HTTPS traffic. Have anyone configured this and could shed some light and enlighten me.
  With all the notes i have read i have understood that i need to basically install 2 instance of Apache in 2 different Oracle Homes. but my question is how can i just have one portal repository. or rather i should say if somebody could guide me from installing the 2 instance of Apache.
  Thanks
  Mir

  You left out Twixl.
  Bob

• WEB_CAT User Notifications different for http and https

  Hi,
  We're using a AsyncOS7.5 on Ironport S360.
  When a user accesses a URL which according to URL Category Filtering is forbidden
  (e.g. www.mydrive.ch) then the Error Message when using http is:
  This  Page Cannot Be Displayed
  Based on your organization's policies, access to this web site (http://www.mydrive.ch/ )
  has been blocked because the web category .... is not allowed.
  Date:
  Username:
  Source:
  URL:
  Category:
  Reason:
  Notification:
  If on the other hand the user uses https then the error message looks like this:
  The proxy server is refusing connections
  Firefox is configured to use a proxy that is refusing connections.
  - Check the proxy settings ...
  - Contact your network administrator ...
  Does anyone know why is that and how can I make it use the former notification for both cases?

  Hi Jannis,
  In HTTP policy or access policy, the returned log from a blocked traffic due to category is BLOCK_WEBCAT and you will also see a TCP_DENIED/403 in the line.
  In decryption policy for HTTPS traffic, the returned log from a blocked traffic due to category is DROP_WEBCAT, and you will so see a TCP_DENIED/403 in the response.
  With policy trace:
  For HTTPS traffic it should reply with information that indicates that the HTTPS request dropped based on URL category.
  And for HTTP traffic, it should reply with "Request blocked based on URL category"
  Also, you can determine which policy that triggers the blocking, whether it is the access policy (for HTTP) or decryption policy (for HTTPS).
  thanks,
  Donny

• How to shape a 5Mbit link (4Mb reserved for HTTP, 1Mbit for all else)

  I have a dual-NIC linux router.  Internal LAN is on eth0. External (Internet) is on eth1.  Our Internet is 5Mbit dedicated link.  I'd like to setup traffic shaping to guarantee 4Mbit for HTTP traffic, and whatever is leftover (1Mbit) for SMTP and any other traffic.
  Is there a simple way to accomplish this?

  Try to google QOS Linux. As far as i can say what you want is QOS (quality of service).

• MPF ASA for Web Filtering. Https traffic

  SOURCE: https://supportforums.cisco.com/docs/DOC-1268#Allow_specific_urls
  Hi all,
  I have the following configuration in my ASA  based on guidelines from the above source to allow only certain sites in my home and block all requests to http and https sites. However,requests to HTTP sites are being blocked but not to HTTPS. Only one host in the network can access all sites
  access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq www
  access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq https
  access-list WEBFILTER extended permit tcp any any eq www
  access-list WEBFILTER extended permit tcp any any eq https
  regex allowex1 “website1\.com”
  regex allowex2 “website2\.com”
  class-map type inspect http match-all allow-url-class
  match not request header host regex allowex1
  match not request header host regex allowex2
  class-map allow-user-class
  match access-list WEBFILTER
  policy-map type inspect http allow-url-policy
  parameters
  class allow-url-class
    drop-connection
  policy-map allow-user-url-policy
  class allow-user-class
    inspect http allow-url-policy
  service-policy allow-user-url-policy interface inside
  HOW can the HTTPS traffic be also blocked in the above configuration? What am I missing?
  Thanks in advance for your help
  Juan

  Is it even possible for for MPF ASA to inspect and filter HTTPS traffic? I do not even see it in the options:
  (config)# class-map type inspect ?
  configure mode commands/options:
    dns   Configure a class-map of type DNS
    ftp   Configure a class-map of type FTP
    h323  Configure a class-map of type H323
    http  Configure a class-map of type HTTP
    im    Configure a class-map of type IM
    sip   Configure a class-map of type SIP

• Can CSS route based on cookie info in HTTP request

  Hi
  I am new to CSS and am interested as it might be able to provide a solution to a problem I have seen.
  We currently have 3 Windows Servers running an ASP-based web application with a clustered SQL Server backend. The front end uses windows load balancing to distribute the load. All 3 servers are configured the same and there is only one application.
  The problem lies with the way an the application maintains session state. I am told it uses a non-persistant cookie on the client which corresponds to a session object on the server. This is opposed to maintaining state in central location such as the database. Obviously this means the client needs to be stuck to a particular server for that session. This is currently achieved by setting the Windows NLB to single affinity which places traffic from a particular IP address to the same server. This does work but the clients source IP is changed by a downstream firewall to a NAT overload address meaning all clients appear with the same IP address (different port) and hence always end up on just one server.
  The obvious next step in my mind would be to change the way NAT is done but this is not possible. The next obvious idea would be to change the application so that it maintains state in the database so the affinity of the Windows NLB could be disabled meaning requests would be dealt with using the source IP and port and hence distributed evenly. I am told this cannot be done either :) Joy!
  So I have begain to look at other possible solutions. Apologies for my very limited knowledge on the CSS as I am trying to get my head around how it can be configured. I am thinking that it may be able to help me if I used it instead of Windows NLB. I am interested in the way you can use Layer 5 stickiness. Would it be able to examine the cookie in the HTTP request and route the traffic to the correct server?
  I am aware that this will not alleviate the failover issue. If one of the servers were to fall over then the client would have to login again, however I am under the impression that this is acceptable behaviour. The main driver here is to provide load balancing to improve application performance by using all resources opposed to just one.
  Many many thanks to anyone who can give me advise on this.

  Hi Gilles
  Thanks for the info. Sounds like we are on the right path. Unfortunately I am unable to get much information from the developers. Long story. I did logon to the system whilst doing a network trace. The following is what I found in the HTTP header:
  Hypertext Transfer Protocol
  GET /XXXXX/Includes/style.asp HTTP/1.1\r\n
  Accept: */*\r\n
  Referer:
  http://xxx.xxxxx.xxx/xxxxx/login.asp\r\n
  Accept-Language: en-gb\r\n
  Accept-Encoding: gzip, deflate\r\n
  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)\r\n
  Host: xxxx.xxxxx.xxxxx\r\n
  Connection: Keep-Alive\r\n
  Cookie: ASPSESSIONIDQCBCDSCR=AEHBCJEDDGMMCCBHBICLELGD\r\n
  \r\n
  Why do you configure 2 services? How would I go about this given the cookie in the HTTP request?
  Many thanks
  Gary

• WSA blocking HTTPS traffic -allowing HTTP

  We have two S170 WSA appliances configured as Guest Wi-Fi Internet proxy servers.  The local network design is as follows:
  WLC5508 (Foreign)     >>     WLC5508 (Anchor)     >>     ACE20 Context     >>     WSA 170     >>     FWSM     >>     Internet
  Guest traffic is authenticated via WCS using RADIUS but is disabled for now.
  Clients associate to SSID, receive IP address via local DHCP scope on anchor WLC and forward all traffic to DFWG which is ACE20 interface.
  ACE20 has specific class-maps for public DNS use and loadbalance policy-map which forwards all other traffic (excluding DNS) to WSA.
  HTTP traffic works fine, HTTPS traffic fails.  The HTTPS proxy service uses a local self-signed certificate for initial decryption of the session. The browser and WSA negotiates to use TLSv1 then the error below is shown.
  Fails
  57666018.658 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54930 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
  1357666018.760 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54931 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
  1357666018.799 0 192.168.244.1 TCP_DENIED_SSL/403 0 GET https://post.packetconsulting.com:443/owa - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 1 cs-auth-group= - c-port= 54931 cs-bytes= 598 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; InfoPath.2; Tablet PC 2.0; MS-RTC LM 8)" cs-referer= - cs-cookie= -
  I have seen this error posted before but no resolution.  I'm sure this is a config problem, but cannot figure why or where!
  Any ideas, thoughts or help would be great...
  Cheers

  Hi axa,
  This is an access policy blocking the SSL traffic based on the TCP_DENIED_SSL / 403. Also I would suspect that you do not have HTTPS proxy enabled which would be required since your not using port 80 for 443 traffic. I would recommend opening a ticket with the WSA Content Security Team.
  Sincerely,
  Erik Kaiser
  WSA CSE
  WSA Cisco Forums Moderator
  Message was edited by: Erik Kaiser

• ACE: new stiky cookie inserted for different URL?

  I have sticky cookies set (cookie insert) and http persistence rebalance on. The virtual server is made of a group of three real http servers.
  The DNS name of the virtual server is for example "vhost.domain.com".
  If I browse (from the internal network) to "http://vhost/" my session is stuck to a real server using cookie stickiness. My question is, when I click a link which is fully qualified e.g. "http://vhost.domain.com/newpage.html" is a stickiness maintained or as the http header has changed is it seen as a new session and potentially sending me to a different real server?

  ACE doesn't care about the url.
  It will simply look for the presence of the cookie.
  If the cookie is there, you will stick to the same rserver.
  If not, this is considered a new connection and the request is loadbalanced.
  So, it all depends if your browser consider that vhost and vhost.domain.com are the same because the cookie is associated to a domain.
  Normally it should consider them the same.
  Gilles.

• Need suggestion for ISE distributed deployment model in two different data centers along with public certificate for HTTPS

  Hi Experts,
  I am bit confused about ISE distributed deployment model .
  I have two data centers one is DC & other one is as a DR I have  requirement of guest access service implementation using CWA and get public certificate for HTTPS to avoid certificate error on client devices :
  how do i deploy ISE persona for HA in this two data centers
  After reading cisco doc , understood that we can have two PAN ( Primary in DC  & Secondary in DR ) like wise for MnT (Monitoring will be as same as PAN ) however I can have 5 PSN running in secondary i.e. in DR ISE however I have confusion about HA for PSN .. since we have all PSN in secondary , it would not work for HA if it fails
  Can anybody suggest me the best deployment solution for this scenario ?
  Another doubt about public certificate :
   Public Certificate: The ISE domain must be a registered or part of a registered domain name on the Internet. for that I need Domain name being used from customer .
  Please do correct me if I am wrong about certificate understanding :
  since Guest will be the outside users , we can not use certificate from internal CA , we need to get the certificate from service provider and install the same in both the ISE servers
  Can anybody explain the procedure to opt the public certificate for HTTPS from service provider ? And how do i install it in both the ISE servers ?

  Hi there. Let me try answering your questions:
  PSN HA: The PSNs are not configured as "primary" or "secondary" inside your ISE deployment. They are just PSN nodes as far as ISE is concerned. Instead, inside your NADs (In your case WLCs) you can specify which PSN is primary, which one is secondary, etc. You can accomplish this by:
  1. Defining all PSN nodes as AAA radius servers inside the WLC
  2. Then under the SSID > AAA Servers Tab, you can list the AAA servers in the order that you prefer. As a result, the WLC will always use the first server listed until that server fails/gets reloaded, etc. 
  3. As a result, you can have one WLC or SSID prefer PSN server A (located in primary DC) while a second WLC or SSID prefer PSN server B (located in backup DC)
  Last but not the least, you could also place PSNs behind a load balancer and that way the traffic would be equally distributed between multiple PSNs. However, the PSN nodes must be Layer 2 adjacent, which is probably not the case if they are located in two different Data Centers
  Certificates: Yes, you would want to get a public certificate to service the guest portal. Getting a public/well known certificate would ensure that most devices out there would trust the CA that signed your ISE certificate. For instance, VeriSign, GoDaddy, Entrust are some of the ones out there that would work just fine. On the other hand, if you use a certificate that was signed by your internal CA, then things would be fine for your internal endpoints that trust your internal CA but for any outsiders (Guests, contractors, etc) that do not trust and do not know who your internal CA is would get a certificate error when being redirected to the ISE guest portal. This in general is only a "cosmetic" issue and if the users click "continue" and add your CA as a trusted authority, the guest page would load and the session would work. However, most users out there would not feel safe to proceed and you will most likely get a lot of calls to your helpdesk :)
  I hope this helps!
  Thank you for rating helpful posts!

• ISE Guest Portal only redirect HTTPS traffic.

  I have a wireless deployment consisting of the following:
  5760 WLC & ISE 1.2
  Am I missing something here
  I have 4 similar deployments, and never had these issues:
  On Android / Apple devices, the guest portal does not pop up automatically &
  On a Windows Laptop only https traffic directs to the guest portal.
  Thanx

  i think you need to recheck the configuration also check the link for step by step config
  http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html

• Please shed some light on Chunked Transfer Coding for HTTP 1.1?

  I am writing a HTTP proxy in Java, but I have a problem. I am writing a HTTP 1.0 proxy. As you probably know, HTTP 1.0 determines the length of the message body using Content-Length and HTTP 1.1 server are supposed to send a Content-Length header to HTTP 1.0 clients. However, several sites like Myspace is very buggy and do not do this. Could someone explain what the Chunked Transfer Coding is for HTTP 1.1? I read the documentation here http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.6 but it's all greek to me :(. Can anybody give me code/hints on how to deal with this?
  Thanks in advance.

  Hi, Toshi:
  Most of these chat boards have become quite boring. Troubleshooting OSPF LSA problems is old news. But I do pop my head in every now and then. Also, there are so many other companies out there doing exciting things in the data center. You have Dell, Brocade, Arista, Juniper, etc. So one runs the risk of developing a myopic view of the world of IT by lingering around this board for too long.
  If you want to use the new B22 FEX for the HP c7000 blade chassis, you certainly can. That means the Nexus will receive the FCoE traffic and leverage its FCF functionality; either separate the Ethernet and FC traffic there, or create a VE-port instantiation with another FCF for multihop deployments. Good luck fighting the SAN team with that one! Another aspect of using the HP B22 is the fact that the FEX is largely plug and play, so you dont have to manage the Flex Fabric switches.
  HTH