CSG C5(14) alters HTTP traffic if http accounting is enabled

Similar Messages

• Is it possible to redirect https traffic to http in CSM?

  Hello,
  I have a requirement to redirect https traffic to http. Is it possible to do that in the CSM?
  In the CSM documentation all redirect examples/config etc refer only to http traffic so I am wondering if the other way around is supported as well.
  BTW I have already tried it on the CSM and it is not working. Everytime I try to reach the https url I get "ERROR_INTERNET_SECURITY_CHANNEL_ERROR" on http watch.
  Thanks for any help offered.
  Murtaza

  I don't have a config in hands for this.
  I have done it before and know this is feasible.
  The redirect is here :
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00802877f6.shtml
  Just change the vip to be only accessible by the SSLM.
  Create the appropriate redirect vserver.
  On the SSLM, send the decrypted traffic to the vip address and port.
  Just as if the Vip was a server.
  Gilles.

• WSA blocking HTTPS traffic -allowing HTTP

  We have two S170 WSA appliances configured as Guest Wi-Fi Internet proxy servers.  The local network design is as follows:
  WLC5508 (Foreign)     >>     WLC5508 (Anchor)     >>     ACE20 Context     >>     WSA 170     >>     FWSM     >>     Internet
  Guest traffic is authenticated via WCS using RADIUS but is disabled for now.
  Clients associate to SSID, receive IP address via local DHCP scope on anchor WLC and forward all traffic to DFWG which is ACE20 interface.
  ACE20 has specific class-maps for public DNS use and loadbalance policy-map which forwards all other traffic (excluding DNS) to WSA.
  HTTP traffic works fine, HTTPS traffic fails.  The HTTPS proxy service uses a local self-signed certificate for initial decryption of the session. The browser and WSA negotiates to use TLSv1 then the error below is shown.
  Fails
  57666018.658 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54930 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
  1357666018.760 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54931 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
  1357666018.799 0 192.168.244.1 TCP_DENIED_SSL/403 0 GET https://post.packetconsulting.com:443/owa - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 1 cs-auth-group= - c-port= 54931 cs-bytes= 598 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; InfoPath.2; Tablet PC 2.0; MS-RTC LM 8)" cs-referer= - cs-cookie= -
  I have seen this error posted before but no resolution.  I'm sure this is a config problem, but cannot figure why or where!
  Any ideas, thoughts or help would be great...
  Cheers

  Hi axa,
  This is an access policy blocking the SSL traffic based on the TCP_DENIED_SSL / 403. Also I would suspect that you do not have HTTPS proxy enabled which would be required since your not using port 80 for 443 traffic. I would recommend opening a ticket with the WSA Content Security Team.
  Sincerely,
  Erik Kaiser
  WSA CSE
  WSA Cisco Forums Moderator
  Message was edited by: Erik Kaiser

• Redirecting all HTTP traffic to HTTPS that will reverse proxy specific URI

  -- Requirement --
  I have a Sun web server 6.1 SP4 that sits in a DMZ that must securely reverse proxy traffic to an internal application server listening on 443.
  The web server instance has two listen sockets, 80 and 443.
  The web server instance must accept traffic on port 80 but re-direct it to 443 so all subsequent traffic with the client happens over HTTPS.
  HTTPS traffic for "www.mydomain.com/myapp/" must be reverse proxied to the internal app server, "https://myapp.mydomain.com/myapp/".
  -- Current set-up --
  The server reverse proxies both HTTP and HTTPS traffic with the indicated URI.
  How can I constrain the reverse proxying to HTTPS traffic?
  Thanks for your help,
  Jez

  Thanks Chris that worked perfectly.
  Aside
  Before your solution I had (unsuccessfully) tried the following obj.conf directive
  <Client security="false">
  NameTrans fn="redirect" from="/" url-prefix="https://www.mydomain.com/"
  </Client>However, it didn't work - is it not possible to use the <Client security="false"> in this manner?

• Redirect HTTPS traffic to HTTP in Tomcat

  Hi,
  We are running SAP BI Platform 4.0 SP2 Patch 7, which runs on top of Tomcat 6.
  We have succesfully configured our iPads to connect to our SAP BusinessObjects server using HTTPS in internet. We have an application proxy that handles HTTPS and sends plain HTTP to the SAP BusinessObjects server.
  The problem is that same connection do not work when users are accessing our intranet, because the SAP BusinessObjects server only accepts HTTP requests in port 8080.
  I have seen that Tomcat allows automatic redirections from HTTP to HTTPS ( using redirecPort parameter in HTTP connector definition ).
  But is it possible the opposite, to switch automatically HTTPS to HTTP ?
  Regards,
  Joan

  Hi,
  At last we have activated HTTPS support in Tomcat. The idea was to avoid HTTPS in BOBJ servers to save CPU usage but after some tests we can afford it.
  So no redirections are needed and the question is solved.
  Thanks,
  Joan

• Cisco ASA rely HTTP port to HTTPS without using CNAME DNS-record

  Hi all,
  could anyone tell me Is it possible to configure ASA so when customer rely http://domain.com Cisco ASA rely to https://domain.com (it's similar with CName function of domain record).
  P.S. resource of domain.com located behind ASA and DNS A-record rely on public ASA ip address
  Thank you.

  What version ASA are you running?
  If the server has both static public and private IPs you could use NAT to redirect HTTP traffic to HTTPS based on IP.
  object network PUBLIC_IP
    host 1.1.1.1
  object network REAL_IP
    host 2.2.2.2
    nat (inside,outside) static PUBLIC_IP http https
  Keep in mind that you will also need a NAT statement that maintains https to the server.
  Please remember to select a correct answer and rate helpful posts

• ISE Guest Portal only redirect HTTPS traffic.

  I have a wireless deployment consisting of the following:
  5760 WLC & ISE 1.2
  Am I missing something here
  I have 4 similar deployments, and never had these issues:
  On Android / Apple devices, the guest portal does not pop up automatically &
  On a Windows Laptop only https traffic directs to the guest portal.
  Thanx

  i think you need to recheck the configuration also check the link for step by step config
  http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html

• Redirect all traffic to http

  Hello,
  I'm running Server 3.1.2 on OSX10.9, I was wondering if there was a way to send all traffic to http versions of webpages and not allow https? 
  I'm working at a school and our current content filter only works with http and doesn't filter https. 
  Sorry if I'm not clear, I'm new at this whole sysadmin thing.

  Hi,
  You can do that with .htaccess  or php
  Here a link https://sites.google.com/site/onlyvalidation/page/301-redirect-https-to-http-on- apache-server
  A+

• Can a WLC redirect HTTPS traffic in a CWA environment

  Hi Guys.
  Regarding with ISE, CWA and WLC, I 'm seeing that when you connect to the SSID and open your navigator, if the URL is an HTTPS URL the traffic is not redirected to the ISE Portal using CWA. I though that the WebAuth Proxy Redirection Port option of the WLC only works when It has the portal (LWA) but not in CWA.
  I only found information about the redirection of the traffic when is a HTTP connection (port 80).
  Is it possible to redirect HTTPS traffic in a CWA deployment??, most of my users use Google Chrome and, in some scenarios, any search using Gooogle is in HTTPS mode and the captive portal is not shown.
  Thanks.
  Best regards.

  No, the WLC is not able to redirect HTTPS pages.
  You can however add other ports(other than 80) that can be redirected incase of proxy etc.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• How to redirect https traffic to captive portal?

  Any WLC controller model (8500/5508/2504/vWLC) version 7.3 and up..
  This is unusual scenario wherein clients have a default homepage to https://www.google.com (sample only)
  Typical http web redirection don't have any problem at all. When you open your browser and type http://www.google.com it will redirect to captive portal without any problem.
  Is there any way to redirect https traffic to captive portal as well?

  redirection only happen on http traffic, a feature request has been issued to have the redirection happen on https.
  please check the following
  CSCar04580
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCar04580
  Please make sure to rate correct answers

• Http Traffic Slow/Broken, ping fine

  Hello,
  I am writing because as of this morning all http traffic on my network has went to a snails pace.  However, pings of all types work at normal speed, but fail approximately 5% of the time(Independent of pinging internal address or external).
  I have a very basic setup, i do not really have any custom configures on anything. The only wifi authentication at the moment is WPA2-PSK.  I have this network set up as a test bed for a new setup, its a good thing too because it is unusuable in its current state.
  Network Setup:
  3 3502i AP - Setup in Hreap mode - Connected to PoE Switch
  1 2106 WLAN Controller - Connected to 2960
  2960s Switch
  Dell Layer 2 PoE Switch
  Thanks!
  Seth

  Since you are using HREAP, I'd sniff the AP port.  Make sure the traffic is flowing in both direcitons there before going further.  You should also make sure to prune the VLAN that are not needed on the AP.
  Also, make sure your ports are full duplex and not at half.

• QoS value for http traffic from IP Phone

  Since the phone marks all voice with COS 5 and data traffic with COS 0. Does this also include traffic sourced from the IP Phone http? request when doing Directory Lookups, IP Phone Services.
  Thanks!

  With 4.1 and up (not sure if 4.0 had this), this traffic is marked with TOS 3 or DSCP CS3 (24). You can modify this enterprise parameter to what ever you want.
  DSCP for SCCP Phone-based Services :
  This parameter specifies the Differentiated Service Code Point (DSCP) IP classification for IP phone services on SCCP-based phones, including any HTTP traffic. Note: You must restart SCCP-based phones for this parameter change to take effect.
  This is a required field.
  Default: default DSCP (000000).
  Restart SCCP-based phones for the parameter change to take effect.
  HTH
  Sankar
  PS: please remember to rate posts!

• Intercepting all http traffic and forwarding to VIP on CSM?

  We would like to intercept all http traffic from clients from all vlans and redirect them to a VIP on the CSM for loadbalancing to 2 proxy servers. Is this possible? I can't seem to find a solution similar to our issue? Please help thanks!

  Thx Giles! Do you mean a policy that uses route-maps with next-hop? So would I point the next-hop address to the CSM client vlan IP? Do you have a support link that covers this in detail? Thx!

• Encapsulate ODBC traffice over HTTP???

  Does anyone know if it's possible to have an external client (in the internet) make an ODBC connection to a database that is behind a firewall which only allows HTTP traffic to pass through? I guess the question is, Is is possible to encapsulate ODBC traffic over the HTTP protocol so that it can pass through the firewall?
  Thanks in advance,
  John Sebastian

  Probably not easily, no.
  If the firewall allows arbitrary traffic on port 80, you could configure the Oracle database to accept connections on that port and configure the tnsnames.ora on the client machine to use port 80. This wouldn't go through HTTP, so if the firewall is actually analyzing the traffic, you'd be out of luck, but it would work if the port is wide open. Of course, it is a terrible idea from a security perspective-- opening up databases to connections over the internet is a recipe for pain and suffering.
  It is certainly possible to write an ODBC to HTTP proxy that converts an ODBC call into some sort of web service call and then write an HTTP to ODBC proxy that lives inside the firewall that translates the HTTP calls back into ODBC calls, but that is likely to be very slow. And a lot of code-- I'm not aware of any commercial utilities that do that sort of thing.
  Generally, the proper way to do something like this is to use Oracle Connection Manager (or something similar that is baked in to certain firewall products) to proxy the Oracle connection through the firewall. But that requires changing the firewall setup and/or installing additional software.
  Justin

• Force http traffic to specific interface

  Just setup a 2801 router. We have a Serial interface card on it connected to a T1 and eth1 connected to DSL. We want to force web traffic (http, https, ftp) to use the DSL connection. I tried a simple access-list to allow http to the DSL and deny to the T1, however it didn't seem to work. Then I noticed that in the SDM it has "default" rultes that always enable http. Do I need to disable the http server to get this access list to work or is there an easier way to force web traffic to a specific interface?
  Thanks in advance.

  I setup the route-map and access-list and applied it to FE 0/1 (DSL connection), however it still appears nothing is going through that interface. When I monitor it in the SDM, it shows 0% bandwidth usage.
  Just to double check I unplugged the DSL to see if web traffic stopped, but it was still going, I assume through the T1 at S 0/2/0.
  FE 0/0 goes to our fw, then to lan
  FE 0/1 goes to DSL
  S 0/2/0 goes to T1
  Here is my config:
  router#show run
  Building configuration...
  Current configuration : 4506 bytes
  ! Last configuration change at 10:29:45 MDT Fri Aug 4 2006 by admin
  ! NVRAM config last updated at 15:17:31 MDT Thu Aug 3 2006 by admin
  version 12.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  boot-start-marker
  boot system flash c2801-ipbasek9-mz.124-8.bin
  boot-end-marker
  security authentication failure rate 3 log
  security passwords min-length 6
  logging buffered 51200 debugging
  logging console critical
  enable secret 5 $1$EWDt$pvWzeNhilneb/EUJosxlv0
  no aaa new-model
  resource policy
  clock timezone MDT -7
  clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00
  no ip source-route
  ip cef
  ip tcp synwait-time 10
  no ip bootp server
  ip name-server 198.60.22.2
  ip name-server 198.60.22.22
  username admin privilege 15 secret 5 $1$TF47$aa8RLf18isZxIwjOKfdmZ.
  interface FastEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
  ip address 199.104.124.210 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip route-cache flow
  duplex auto
  speed auto
  no mop enabled
  interface FastEthernet0/1
  description $FW_OUTSIDE$$ETH-LAN$
  ip address 192.168.2.2 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip route-cache flow
  ip policy route-map toDSL
  duplex auto
  speed auto
  no mop enabled
  interface FastEthernet0/1/0
  interface FastEthernet0/1/1
  interface FastEthernet0/1/2
  interface FastEthernet0/1/3
  interface Serial0/2/0
  ip address 204.228.133.46 255.255.255.252
  interface Vlan1
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip flow egress
  ip route-cache flow
  ip route 0.0.0.0 0.0.0.0 204.228.133.45
  ip route 192.168.2.0 255.255.255.0 192.168.2.1
  no ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  logging trap debugging
  access-list 111 permit tcp any any eq www
  no cdp run
  route-map toDSL permit 1
  match ip address 111
  set ip next-hop 192.168.2.1
  control-plane
  banner login ^CAuthorized access only!
  Disconnect IMMEDIATELY if you are not an authorized user!^C
  line con 0
  login local
  transport output telnet
  line aux 0
  login local
  transport output telnet
  line vty 0 4
  exec-timeout 30 0
  privilege level 15
  login local
  transport input ssh
  transport output ssh
  line vty 5 15
  access-class 102 in
  privilege level 15
  login local
  transport input ssh
  scheduler allocate 20000 1000
  ntp clock-period 17178101
  ntp update-calendar
  ntp server 198.60.22.240 source Serial0/2/0
  end