Dropbox and HTTPS inspection

Similar Messages

• HTTPS Inspection and MAC OS X Clients

  Hi together,
  we want to enable HTTPS Inspection at our TMG Cluster....but the counterpart is, Mac OS X Clients wont be able to connect to SSL Sites after we activate it.
  So i am aware of this blogpost
  http://blogs.technet.com/b/isablog/archive/2012/04/20/mac-os-clients-fail-to-access-ssl-websites-after-you-enable-https-inspection-in-forefront-tmg-2010.aspx
  We had a certificate generated by our own internal CA, generated like described in this blogpost
  http://blogs.technet.com/b/isablog/archive/2014/08/29/how-to-create-a-cng-httpsi-cert-using-a-2008r2-ca.aspx
  After we faced the problems with os x we didnt do more research and renewed the certificate with the options of the second blogpost but as Windows Server 2008 CA Cert.
  But still, MAC OS X (Safari) cant reach HTTPS Sites, Firefox on MAC OS X works fine.
  I`ve downloaded the certificates to check if it is ASCII or Unicode...here are the results:
  Aussteller:
  CN=TMG HTTPS CNG Inspection
  [0,0]: CERT_RDN_PRINTABLE_STRING, Länge = 40 (40/64 Zeichen)
  2.5.4.3 Allgemeiner Name (CN)="TMG HTTPS CNG Inspection"
  Antragsteller:
  CN=*.facebook.com
  O=Facebook, Inc.
  L=Menlo Park
  S=CA
  C=US
  [0,0]: CERT_RDN_PRINTABLE_STRING, Länge = 2 (2/2 Zeichen)
  2.5.4.6 Land/Region (C)="US"
  55 53 US
  55 00 53 00 U.S.
  [1,0]: CERT_RDN_PRINTABLE_STRING, Länge = 2 (2/128 Zeichen)
  2.5.4.8 Bundesland oder Kanton (S)="CA"
  43 41 CA
  43 00 41 00 C.A.
  [2,0]: CERT_RDN_PRINTABLE_STRING, Länge = 10 (10/128 Zeichen)
  2.5.4.7 Ort (L)="Menlo Park"
  4d 65 6e 6c 6f 20 50 61 72 6b Menlo Park
  4d 00 65 00 6e 00 6c 00 6f 00 20 00 50 00 61 00 M.e.n.l.o. .P.a.
  72 00 6b 00 r.k.
  [3,0]: CERT_RDN_PRINTABLE_STRING, Länge = 14 (14/64 Zeichen)
  2.5.4.10 Organisation (O)="Facebook, Inc."
  46 61 63 65 62 6f 6f 6b 2c 20 49 6e 63 2e Facebook, Inc.
  46 00 61 00 63 00 65 00 62 00 6f 00 6f 00 6b 00 F.a.c.e.b.o.o.k.
  2c 00 20 00 49 00 6e 00 63 00 2e 00 ,. .I.n.c...
  [4,0]: CERT_RDN_UTF8_STRING, Länge = 14 (14/64 Zeichen)
  2.5.4.3 Allgemeiner Name (CN)="*.facebook.com"
  So i think the problem is the last one while this is still as utf8 issued...but why? Shouldn`t this also a printable/ASCII one? How can i fix it?
  The template which generated the TMG Certificate has the following settings:
  General
  Validity: 10 Years
  Renewal period: 2 Years
  Issuance Requirements
  Suspended Templates
  Extensions
  Application Policies: Code Signing (Codesignatur), Private Key Archival (Archivierung des privaten Schlüssels), Server Authentication (Serverauthentifizierung)
  Basic Constraints: everything is checked
  Certificate Template Information: -
  Key Usage: Digital signature, Signature is proof of origina (nonrepudiation), Certificate signing, CRL signing, Make this Extension critical
  Have you any ideas why i still get utf8 subjects?
  Thanks for your help in advance

  Hi Vasu,
  isn`t this needed to issue a cng certificate (
  http://blogs.technet.com/b/isablog/archive/2014/08/29/how-to-create-a-cng-httpsi-cert-using-a-2008r2-ca.aspx ) ?
  I give it a try and give you a Status update.
  Regards
  edit
  so while it isnt possible to use sha256, i am unable to issue cng certificates after using a 2003 based CA Template. So this cant be a solution.... 

• Dropbox and KDE

  Hi,
  I worked with Dropbox in KDE 4.7 and everything works fine. But after upgrade to KDE 4.8, there are problems.
  At first, when Dropbox starts after log in, its status is still "Conecting..." - if I quit dropbox and start it again, it is ok.
  When I want to copy some file to Dropbox directory and create public URL, error message "kde4-config not found" occurs, but I have it in /usr/bin/kde4-config.
  I found that it could be problem with sqlite3-tools, but in Archlinux there is no sqlite3-tools but only sqlite3 and I have it.
  Dropbox 1.2.51
  KDE 4.8.00
  Any advice?
  Last edited by xsigik (2012-02-02 13:37:38)

  Do you have an @ before network in your dameons array in rc.conf. if so try removing the @.
  did you try renaming ~/.dropbox folder. (of course this would delete all your preferences) and ~/.dropbox-dist and reinstalling it?
  If thats not gonna work, the only thing is writing a workaround, like those people:
  https://bbs.archlinux.org/viewtopic.php?id=129678
  Fixing Dropbox startup issues
  Seems that many other people on various distribution have same problem.

• After a reinstall of Mac OSX 10.6.8 on my iMac, several directories were "locked" and unavailable. Can someone tell me how to unlock my Downloads, Google Plus, Dropbox and movies? Thanks!

  After a reinstall of Mac OSX 10.6.8 on my iMac, several directories were "locked" and unavailable to me. Can someone tell me how to unlock my Downloads, Google Drive, Dropbox and movies?
  Thanks for your help!

  Try to change the permission, take a look at this link, http://support.apple.com/kb/ht2963
  Also this link, http://osxdaily.com/2011/02/21/change-file-permissions-mac/

• Default HTTP inspection map

  Hi guys.
  When configuring Inspect HTTP there is an option to use Default HTTP Inspection Map.
  Its used here as an example on the documentation;
  From the Select HTTP Inspect Map window, check the radio button next to Use the Default HTTP inspection map. The default HTTP inspection is used in this example. Then, click OK.
  However I cannot actually see anywhere what these Default settings are.
  For example; it is possible to set varying security levels when configuring manually (low-medium-high) with differing options in each, but what are the security level and specific settings when choosing default?
  I cannot find any reference to these.
  If anyone can help that would be great.
  Thanks.
  Mike

  I'm not sure which reference you're citing, but in ASDM if you go to "Configuration > Firewall > Objects > Inspect Maps > HTTP" and click on "Add" you will see a dialog box with a slider which shows what each level consists of by default. You can further customize by choosing the Details, URI Filtering, etc.
  (Very very few people actually use the built-in http inspection and instead use either a 3rd party solution like WebSense URL filtering or a Proxy server like WSA or BlueCoat or else use the ASA CSC module of NGFX CX module with AVC and WSE.)
  See the following screenshot for what I wan talking about in my first paragraph:

• CSW: Filtered Google Images still appearing with HTTPS Inspect configured

  Hi,
  I'm currently testing https Inspect to close a hole in the Google Images search.
  I was under the impression that https inspect would not display any images that are in the a blocked category.
  I have a CSW created certificate installed on the PC I'm testing on which I see as being accepted.  If I delete the cert from the PC, then I can't get to google (via https) as the cert is not accepted.
  However, with the cert running on the PC, images are not being filtered within a Google search.  It's not practical for us to change to a "safesearch on" policy and was under the impression that https inspect would indeed filter the images, but it's not.  I've tested on some images that they are blocked as if I click the "visit site" or "view image" links, then I get the blocked page.
  Any help is very appreciated.
  Thanks
  Craig

  Thanks for the answer, but that's crazy, it didn't used to be like that before Google forced https on everyone.
  I can't see how safe search can be enforced?  I know it can be done on at DNS, but that doesn't help our field users who connect to their own/public wifi.  Even when they are VPN'd, we use split tunnelling so that won't work either.
  Seems a real limitation of CWS that you cannot simply manipulate URLs or make custom suffix's?  Or can you?
  Our contract is up later this year and with all the issues we've had lately combined with it not being a very powerful solution, I suspect we'll be looking elsewhere.

• Configuring WCCP for http and https

  How do I configure wccp on a 6509 to redirect http and https trafic to a S650. I am using the following config and http is working fine:
  ip wccp version 2
  ip wccp web-cache redirect-list aclwccp
  interface Vlan23
  description Rede Firewall
  ip address 10.0.23.20 255.255.255.0
  ip access-group 172 out
  ip wccp web-cache redirect out
  mls rp vtp-domain coc_block1
  mls rp ip
  mls netflow sampling
  end
  Should I config an other service for the https protocol?

  Cecato,
  The WSA can be configured to send 80 and 443 traffic, in the WCCP settings area (5.2.0+). There are some things you will need to be aware of before doing this though:
  1. If you are on 5.2.0-x, you will not be able to inspect HTTPS traffic. Only version 5.5.0+ has the ability to decrypt HTTPS traffic. Because of this, it is not recommended to redirect port 443 on WSA version 5.2.
  2. You will most likely need to specify a service ID other then web-cache. On most Cisco devices, web-cache is reserved for port 80 traffic only and cannot be changed. Any other service ID will work as you want it to.

• HTTP Inspection Cisco PIX 525

  I need to filter inbound HTTP requests <outside> to <dmz> headed to www.XYZ.com/XXX/admin/XXX.jsp.
  My regex is:    regex HACKBLOCK "*/admin/.*\.jsp*"
  My class-maps are: 
  class-map type regex match-any HACKBLOCK_METHOD
  match regex GET
  class-map XXXXTWBLOCK
  match access-list HACKBLOCK_HOSTS
  class-map type regex match-any HACKBLOCK_URL
  match regex HACKBLOCK
  class-map type inspect http match-all HACKBLOCK_FILTER
  match request uri regex class HACKBLOCK_URL
  class-map inspection_default
  match default-inspection-traffic
  My policy-maps are:
  policy-map type inspect http HACKBLOCK_HTTP
  parameters
  class HACKBLOCK_FILTER
    log
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect h323 h225
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect sip
    inspect skinny
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
    inspect dns
    inspect h323 ras
  class XXXXTWBLOCK
    inspect http HACKBLOCK_HTTP
  policy-map OUTSIDE
  class XXXXTWBLOCK
    inspect http HACKBLOCK_HTTP
  class class-default
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum 1200
  As you can see, I added the inspection rule to a seperate class name ENPROTWBLOCK.  This matches traffic based on destination of our class C.  I see that I am matching traffic in the ACL, but no matches on the HTTP inspection rule:
  #sh service-pol inspec http
  Global policy:
    Service-policy: global_policy
      Class-map: inspection_default
      Class-map: XXXXTWBLOCK
        Inspect: http HACKBLOCK_HTTP, packet 745097, drop 0, reset-drop 0
          protocol violations
            packet 34206
          class HACKBLOCK_FILTER
            log, packet 0
  enp-amer-clt-pix525-a#
  I am generating bogus traffic to http://www.<ourdomain>.com/admin/test.jsp
  Any idea whats going on here and why I am not macthing the HTTP uri's ????
  Thanks,
  Matthias  CCIE# 28445

  I get hits on the ACL.  The issue is that the HTTP inspection does not seem to function.  Just for my own understanding, the global policy will match inbound traffic arriving on the outside interface right ?
  access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65138) 0x6402ac20
  enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
  access-list HACKBLOCK_HOSTS; 1 elements
  access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65245) 0x6402ac20
  enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
  access-list HACKBLOCK_HOSTS; 1 elements
  access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65285) 0x6402ac20

• Ipad use of dropbox and fonts

  i just upgraded the new operating system for my ipad.  I have then prepared a word document on my macbook and transferred it to dropbox so I can use it on my ipad later.  the font has defaulted to times roman instead of futura i did it in.  does the new ops system have specific fonts that will transfer to dropbox and be read the same on the ipad?

  Is Sonic Wall an authenticated proxy?  
  If so, say good bye to most apps, many apps either fail silently on connecting or even crash behind authenticated proxies - even when the authentication details are supplied in the wireless config
  I have iPads behind a smoothwall proxy (non-auth) and we have a proxy.pac file on our managment server.
  This proxy.pac (http://ipad/proxy.pac - set in Auto ) directs all iPad traffic to the smoothwall proxy, rather then our default auth proxy.
  Smoothwall can insert the authentication, and then direct it to your Sonic Wall

• I'm having a problem with the application Dropbox and I want to uninstall it. In finder it does not allow me to move it to trash telling me the dopbox application is open. How do I close it? when it shows up nowhere as an open application?

  I'm having a problem with the application Dropbox and I want to uninstall it. In finder it does not allow me to move it to trash telling me the dopbox application is open. How do I close it? when it shows up nowhere as an open application?

  Is there a DropBox icon up in the menubar you can click on & see quit DropBox?
  https://www.dropbox.com/help/41

• Toying with https inspection. Do access lists now have to be in decryption policies?

  Hello,
  I am toying with https inspection.  I am wondering now with the WCCP redirect from the firewall for https on two of our test IP's (before rolling it in production), if I need to basically duplicate all of my Access Policies on the Decrypt Policies.  Is Access Policies just for http websites and Decrypt Policies just for https websites, or am I wrong?
  Lets say you want facebook blocked.  In Access Policies it is blocked by default, unless you fall into an upper category like AD group Management for example.  Well facebook has both an http and an https (now increasingly more common) site.  So could they just circumvent this block by typing in https?  They can do that now (since were not inspecting https), but we want to put a stop to that.
  I tested and put drop for social networking but we just get a page cannot be displayed then on our test machine.  We don't even get redirected to our server hosting the "you are blocked" page.

  Ok so its fine to have a global decription policy that has everything set to monitor, and just continue to let the access policy do all the work?
  At least if you "hit" on an access policy, the WLC forwards us to our customized block page.  In decryption policy if you hit drop, quite understandably so you just get a page cannot be displayed (since it is dropped of course).
  When would the "decrypt" option be a good idea?

• Disable http inspection in global_policy FWSM

  I am running 4.0(7) and we are experiencing some issues with downloads - specifically http downloads. Anything with an https link works fine.
  Looking into the config on the FWSM i see that under the global_policy we are inspecting http
  policy-map global_policy
   class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect skinny
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
    inspect http
  I would like to remove inspect http as a test to see if this is causing our problems, but am unsure of the impact of doing this?
  Also it is strange as this option has been there for a long time and our download issues have only recently started to happen, it does seem to be only for http links though?
  I don't really understand what the inspection engine does?

  Well,
  I removed the http inspection and it broke all inbound and outbound web services!
  Then I discover this
  url-server (WEB-Sense) vendor websense host 10.*.*.* timeout 30 protocol TCP version 1 connections 5
  filter url except 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 allow
  This web-sense server is down and no longer used.
  But am I correct to assume that the prescense of this config caused a problem as all http was trying to go via the Websense but with the http inspection enabled it is able to go out direct?
  I am unclear as to exactly how the inspection and the url-server / filter url commands interact.
  Thanks
  Roger

• CSM 3.3.0, FWSM 4.0(6), HTTP Inspection

  Hi,
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  i have a firewall module (FWSM) ,(version  4.0(6)) which is managed with CSM (3.3.0). There is a problem about regular expression configuration with CSM. HTTP Inspection with regular expression is configured with ASDM successfully but this configuration is not deployed with CSM on FWSM. It seems CSM does not support regular expression for FWSM. The following picture shows that CSM support HTTP advanced inspection configuration only for ASA7,2 and PIX7.2. i need to know  does CSM 4.0 has this limitation or is there any solution for this CSM version?

  Here is the guide for Flex configs http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.3/user/guide/tmplchap.html
  There is no predefined flex config for the http inspection. But you can create a new Flex config that has the commands
  regex ...class-map type inspect http   match header host regex ...
  The Flex config in CSM will be deploying the commands as if you were doing it with CLI.
  I hope it makes sense.
  PK

• Dropbox and iPad mini

  I have dropbox - and once it worked fine with iPad mini
  the dropbox account still works BUT it wont open on the ipad - infact on searching for it it cannot be located on iPad but when i go to apple store it says i have it but wont open it
  i have closed all other apps
  i have rebooted ipad
  I cannot delete dopbox and reinstall as i cant find it on ipad to delete and yet store says i have it.....
  any ideas about this random mystery for me???

  Try this  - Reset the iPad by holding down on the Sleep and Home buttons at the same time for about 10-15 seconds until the Apple Logo appears - ignore the red slider - let go of the buttons. (This is equivalent to rebooting your computer.) No data/files will be erased. http://support.apple.com/kb/ht1430
   Cheers, Tom

• Dropbox and other services that need secure connec...

  Ever since having a HH5 I have not been able to connect to drop box, Adobe Creative Cloud Market, and Crashplan, which is another back up service. They all require a secure internet connection.
  I have searched the forums and found others with the same problem, and someone suggested trying switching Smart Setup off, which I have. That didn't work.
  I have tried turning the firewall off, which doesn't work.
  I phoned BT and they said to do a factory reset - I did this and set up the home hub again, and it worked - for a day. I rebooted and it worked - for an hour. Now however much I reset or reboot it doesn't work.
  This seems a fairly common problem. I also cannot access the dropbox page, though I can connect to other HTTPS pages.
  At the times I have managed to get it working, I have also managed to reach the dropbox page, and I have taken my laptop to my neighbours house, and it works no problem, both reaching the dropbox home page and dropbox and the other applications working.
  Any Suggestions?

  Hi Iwatts,
  Do you get any error messages when you connecting to those sites?
  It might be worth while opting out of BT Web Address Help give it a try and let me know how you get on?
  Thanks
  PaddyB
  BTCare Community Mod
  If we have asked you to email us with your details, please make sure you are logged in to the forum, otherwise you will not be able to see our ‘Contact Us’ link within our profiles.
  We are sorry but we are unable to deal with service/account queries via the private message(PM) function so please don't PM your account info, we need to deal with this via our email account :-)