How to redirect https traffic to captive portal?

Similar Messages

• Can a WLC redirect HTTPS traffic in a CWA environment

  Hi Guys.
  Regarding with ISE, CWA and WLC, I 'm seeing that when you connect to the SSID and open your navigator, if the URL is an HTTPS URL the traffic is not redirected to the ISE Portal using CWA. I though that the WebAuth Proxy Redirection Port option of the WLC only works when It has the portal (LWA) but not in CWA.
  I only found information about the redirection of the traffic when is a HTTP connection (port 80).
  Is it possible to redirect HTTPS traffic in a CWA deployment??, most of my users use Google Chrome and, in some scenarios, any search using Gooogle is in HTTPS mode and the captive portal is not shown.
  Thanks.
  Best regards.

  No, the WLC is not able to redirect HTTPS pages.
  You can however add other ports(other than 80) that can be redirected incase of proxy etc.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Is it possible to redirect https traffic to http in CSM?

  Hello,
  I have a requirement to redirect https traffic to http. Is it possible to do that in the CSM?
  In the CSM documentation all redirect examples/config etc refer only to http traffic so I am wondering if the other way around is supported as well.
  BTW I have already tried it on the CSM and it is not working. Everytime I try to reach the https url I get "ERROR_INTERNET_SECURITY_CHANNEL_ERROR" on http watch.
  Thanks for any help offered.
  Murtaza

  I don't have a config in hands for this.
  I have done it before and know this is feasible.
  The redirect is here :
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00802877f6.shtml
  Just change the vip to be only accessible by the SSLM.
  Create the appropriate redirect vserver.
  On the SSLM, send the decrypted traffic to the vip address and port.
  Just as if the Vip was a server.
  Gilles.

• ISE Guest Portal only redirect HTTPS traffic.

  I have a wireless deployment consisting of the following:
  5760 WLC & ISE 1.2
  Am I missing something here
  I have 4 similar deployments, and never had these issues:
  On Android / Apple devices, the guest portal does not pop up automatically &
  On a Windows Laptop only https traffic directs to the guest portal.
  Thanx

  i think you need to recheck the configuration also check the link for step by step config
  http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html

• SG300 Redirect HTTP Traffic to Proxy

  Dear Cisco Community,
  We have the following setup
  1 x SG300 Switch in Layer 3 Mode
  VLAN 100 (Management VLAN)
  VLAN 200 (Data VLAN for Internet Users)
  The SG300 has an IP4 Interface in each VLAN:
  100: 10.1.1.254 / 24
  200: 10.1.2.254 / 24
  The internet gateway (Zyxel USG-100) is located in VLAN 100.
  In order to restrict the web browsing acitivites, we're in the process of implementing a Proxy server (GFI Webmonitor).  Is it possible, to redirect all HTTP and HTTPS traffic which arrives at the SG300's VLAN200 IP interface to the proxy server?  I was thinking of a static route, but then this would apply to all traffic.  Another option would be to block port 80/443 traffic using an ACL I suppose=
  Any input will be highly appreciated, thank you!
  Kind regards,
  Romeo

  Hi Mohamad,
  I've seen this done in slightly different ways.  One way is at the very bottom of the following examples from the Cisco.com CSM-S config guide:
  CSM-S Configuration Examples
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/cfgxpls.html
  Another way is like this:
  serverfarm REDIRECT
    nat server
    no nat client
     redirect-vserver REDIRECT
      webhost relocation https://www.example.com/
      inservice
  serverfarm SSL_DC
    no nat server
    no nat client
    real 192.168.78.36 local
     inservice
  vserver VSERVER_80
    virtual 192.168.78.35 tcp 80
    serverfarm REDIRECT
    persistent rebalance
    inservice
  vserver VSERVER_443
    virtual 192.168.78.35 tcp 443
    serverfarm SSL_DC
    persistent rebalance
    inservice
  Hope this helps get you started.
  Sean

• Redirecting http traffic to the proxy server

  Hi,
  We have a requirement to divert web traffic to blue coat proxy through firewall. Below is the setup
  Requirement:
  We need to divert web traffic from 10.20.200.0/23 [DMZ-STAFFNET] and point it to Bluecoat proxy to process the packets.
  Now that ASA doesn't support PBR to accomplish this, how can we accomplish this ? 

  Hi,
  To list one limitation that you might see in your scenario , You would only be able to redirect the subnets to the proxy from those subnets which are physically behind the interface where the WCCP server resides only. i.e. UNTRUST
  Now , talking about the NAT , why don't you try this NAT if you don't want to NAT the Source part of the Traffic:-
  (DMZ-STAFFNET) to (bluecoat) source static DMZ-STAFFNET DMZ-STAFFNET destination static internet proxy-server service original-http proxy-8080
  Also , ASA now supports Policy Based routing from ASA 9.4.1 :)
  Thanks and Regards,
  Vibhor Amrodia

• How to redirect Internet traffic from RV082 to RV042 through a VPN Tunnel??

  Fellows,
  We have offices in USA and Venezuela.
  In our USA office we have a RV042 router and in Venezuela we have a RV082 router.
  We have connected a VPN tunnel (gateway-to-gateway) between both offices.
  The point is:
  How   could we redirect the internet traffic from our Venezuela office   (RV082) to the USA Office (RV042) to navigate using USA public IP's?
  The   reason for this is that we need to use online streaming services which   are only available for IP's from USA and we can't use them from the   Venezuelan IP's.
  We  can not use the PPTP option since the  equipment which will use the  streaming services (like hulu, crackle,  etc.) in Venezuela is a Google  TV device which doesn't allow the  configuration of proxy navegation or  PPTP VPN connections itself. That's  the reason why we need to do that  through the routers.
  We will really appreciate your support on this matter.
  Daniel

  Hi Daniel, this is called ESP wildcard forwarding which the router does support.
  https://supportforums.cisco.com/docs/DOC-12534   <- This is older but applicable
  https://supportforums.cisco.com/message/3766661
  -Tom
  Please mark answered for helpful posts

• Redirect HTTPS traffic to HTTP in Tomcat

  Hi,
  We are running SAP BI Platform 4.0 SP2 Patch 7, which runs on top of Tomcat 6.
  We have succesfully configured our iPads to connect to our SAP BusinessObjects server using HTTPS in internet. We have an application proxy that handles HTTPS and sends plain HTTP to the SAP BusinessObjects server.
  The problem is that same connection do not work when users are accessing our intranet, because the SAP BusinessObjects server only accepts HTTP requests in port 8080.
  I have seen that Tomcat allows automatic redirections from HTTP to HTTPS ( using redirecPort parameter in HTTP connector definition ).
  But is it possible the opposite, to switch automatically HTTPS to HTTP ?
  Regards,
  Joan

  Hi,
  At last we have activated HTTPS support in Tomcat. The idea was to avoid HTTPS in BOBJ servers to save CPU usage but after some tests we can afford it.
  So no redirections are needed and the question is solved.
  Thanks,
  Joan

• How to redirect http to www

  This isn't limited to dreamweaver, but I hope someone can
  help. I create a website for a domain, let's say xxxx.com and post
  it no problem. If you type
  http://www.xxxx.com, in a browser
  it comes up fine. If you type
  http://xxxx.com (without the www), it
  will also come up fine, and the address bar of the browser shows
  http://xxxx.com (i.e. without the www).
  My client would like the address bar to display the www in
  both cases, i.e. even if the user does not type in the www. I've
  looked around, and while most sites do not display the www in both
  cases, some do, so I know it's possible.
  Can anyone help me with this? Thanks a lot.

  Get the hosting company to set up a redirect. It's pretty
  simple for them to do.
  Andy

• Redirect http traffic

  I have two web servers, web1 and web2. I would like to set up the two web servers in such a way that some requests are answered by web1. Anything else will be redirected to web2.
  Does anyone know how to set it up in iPlanet?

  Hi,
  This can't be done with iWS (like some requests are answered by web1 and some by web2).
  Probably if a loadbalancer has this feature, this is possible.
  So kindly check out if any 3rd party load balancer has got this feature.
  Thanks,
  Daks.

• Anyconnect 3.1 Captive Portal False Alert Stops Users Connecting.

  Hi All,
  I am having problems with a customer's ASA 5505 with Anyconnect 3.1 - it is generating captive portal false-alerts which are stopping users from connecting.
  This issue began when I upgraded from Anyconnect 2.4 to 3.1, and it appears like this: A user downloads and installs the Anyconnect client and is able to connect fine, to begin with. However, once they reboot their computer and try to reconnect, the VPN session will not come up and they receive the error message below.
  "The service provider in your current location is restricting access to the internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser."
  Reading other posts, it seems this message appears when a captive portal is restricting internet access. It must be a false alert in this case as there is nothing of the sort here. Apparently, Anyconnect 3.1 can generate a false alert like so if the name of the firewall's SSL certificate doesn't match the CName listed on the Client Profile. I've set this up to match, to no avail.
  Although users can connect by reauthenticating through the SSL VPN login web page, I am stumped as to how to get rid of this captive portal error that pops up when they try to use the Anyconnect client.
  Any advice would be appreciated, just let me know what extra details to post if needed.
  Many thanks,
  Josh Campbell

  Hi Joshua,
  The below information could be located at
  www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac03vpn.html
  False Captive Portal Detection
  AnyConnect can falsely assume it is in a captive portal in the following situations.
  •If AnyConnect attempts to contact an ASA with a certificate containing an incorrect server name (CN), then the AnyConnect client will think it is in a "captive portal" environment.
  To prevent this, make sure the ASA certificate is properly configured. The CN value in the certificate must match the name of the ASA server in the VPN client profile.
  •If there is another device on the network before the ASA, and that device responds to the client's attempt to contact an ASA by blocking HTTPS access to the ASA, then the AnyConnect client will think it is in a "captive portal" environment. This situation can occur when a user is on an internal network, and connects through a firewall to connect to the ASA.
  If you need to restrict access to the ASA from inside the corporation, configure your firewall such that HTTP and HTTPS traffic  to the ASA's address does not return an HTTP status. HTTP/HTTPS access to the ASA should either be allowed or completely  blocked (also known as black-holed) to ensure that HTTP/HTTPS requests sent
  There is also a bug filed for this. Just for your reference,
  CSCud17825 - Anyconnect captive portal
  Regards,
  Srikanth K S.

• WCCP V2 Question (Redirect https)

  Hello all
  I have been successful in implementing wccp in my multiple vlan environment.
  Router is Cisco 2921
  G0/0 - Internet
  G0/1 - Squid Proxy
  G0/2 - Clients in multiple vlans
  Here is the config:
  ip wccp web-cache redirect-list 120
  interface GigabitEthernet0/2.1
  encapsulation dot1Q 3
  ip address 172.16.1.1 255.255.255.0
  ip wccp web-cache redirect in
  ip nat inside
  interface GigabitEthernet0/2.2
  encapsulation dot1Q 2
  ip address 172.16.2.1 255.255.255.0
  ip wccp web-cache redirect in
  ip nat inside
  interface GigabitEthernet0/2.3
  encapsulation dot1Q 3
  ip address 172.16.3.1 255.255.255.0
  ip wccp web-cache redirect in
  ip nat inside
  access-list 120 remark REDIRECTION_CRITERIA
  access-list 120 deny   ip host 192.168.1.2 any
  access-list 120 permit tcp 172.16.1.0 0.0.0.255 any eq www
  access-list 120 permit tcp 172.16.2.0 0.0.0.255 any eq www
  access-list 120 permit tcp 172.16.3.0 0.0.0.255 any eq www
  access-list 120 deny   ip any any
  I have some questions:
  1) In the command "ip wccp web-cache redirect-list 120", "redirect-list 120" is not required since all vlans are clients.
  using  ip wccp web-cache redirect in under all subinterfaces alone would work.
  Am I correct ?
  2) How can I redirect HTTPS traffic to my squid proxy.

  Hello,
  1. "ip wccp web-cache redirect in"
  It would work if you squid proxy have another default gateway to internet.
  Otherwise the traffic from the SQUID is also forwarded. You have to use different interfaces for users and squid. On sabinterfeyse vlan SQUID you should not use a configuration wccp
  2. Web-cache permit only http. You must configuring Dynamic WCCP.
  some example:
  in global:
  ip wccp 120 redirect-list 120
  access-list 120 remark REDIRECTION_CRITERIA
  access-list 120 deny   ip host 192.168.1.2 any
  access-list 120 permit tcp 172.16.1.0 0.0.0.255 any eq www
  access-list 120 permit tcp 172.16.1.0 0.0.0.255 any eq 443
  access-list 120 permit tcp 172.16.2.0 0.0.0.255 any eq www
  access-list 120 permit tcp 172.16.2.0 0.0.0.255 any eq 443
  access-list 120 permit tcp 172.16.3.0 0.0.0.255 any eq www
  access-list 120 permit tcp 172.16.3.0 0.0.0.255 any eq 443
  access-list 120 deny   ip any any
  on interface:
  ip wccp 120 redirect in
  See link below for more information
  http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/12-4t/iap-wccp.html#GUID-5E9AE273-1AFD-4598-9325-85F8C822D168
  Best regards

• Redirect HTTP 404 Error

  Hi,
  Is there anyone knows how to redirect HTTP 404 Error on OAS 4? For example, if the requested file doesnt exist, I have to redirect the request to a default page. Thanks for any help.

  <i>So the user actually sees a 404 - page not found error?</i><p>
  Yes, using a static session id in the apache rewrite rule causes the user to get a HTTP 404 - Page cannot be found error.
  Since owa_util.redirect_url is called directly after owa_cookie.send, the owa_util.redirect_url is using just the apex relative url, f?p=blahblahblah, which causes all the Host and DAD information (in our case, infotrek.er.usgs.gov/pls/apex/ to be dropped from the Location: header and sends the user to HOST/f?p=blah instead of HOST/DAD/f?p=blah, which causes the http 404 error.
  I did the test you asked:
  Header when relative URL is used:
  HTTP/1.1 302 Found
  Date: Thu, 23 Aug 2007 13:09:21 GMT
  Server: Oracle-Application-Server-10g/10.1.3.0.0 Oracle-HTTP-Server
  Location: f?p=190:1:2088586269224413
  X-DB-Content-length: 0
  Set-Cookie: WWV_PUBLIC_SESSION_TEST=99999999
  Connection: close
  Content-Type: text/html; charset=UTF-8Header when absolute URL is used:
  HTTP/1.1 302 Found
  Date: Thu, 23 Aug 2007 13:09:49 GMT
  Server: Oracle-Application-Server-10g/10.1.3.0.0 Oracle-HTTP-Server
  Location: http://infotrek.er.usgs.gov/pls/apex/f?p=190:1:2088586269224413
  X-DB-Content-length: 0
  Set-Cookie: WWV_PUBLIC_SESSION_TEST=99999999
  Connection: close
  Content-Type: text/html; charset=UTF-8The second condition is what we need to have happen, and we don't know if we can tinker with anything in apache, Apex, or the owa_util.redirect_url to make it happen. I can't use this fix within any application because <i>the user doesn't get that far</i>. He/she never makes it to the app--they get a Page Cannot be Found error and thinks our site is down.

• MPF ASA for Web Filtering. Https traffic

  SOURCE: https://supportforums.cisco.com/docs/DOC-1268#Allow_specific_urls
  Hi all,
  I have the following configuration in my ASA  based on guidelines from the above source to allow only certain sites in my home and block all requests to http and https sites. However,requests to HTTP sites are being blocked but not to HTTPS. Only one host in the network can access all sites
  access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq www
  access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq https
  access-list WEBFILTER extended permit tcp any any eq www
  access-list WEBFILTER extended permit tcp any any eq https
  regex allowex1 “website1\.com”
  regex allowex2 “website2\.com”
  class-map type inspect http match-all allow-url-class
  match not request header host regex allowex1
  match not request header host regex allowex2
  class-map allow-user-class
  match access-list WEBFILTER
  policy-map type inspect http allow-url-policy
  parameters
  class allow-url-class
    drop-connection
  policy-map allow-user-url-policy
  class allow-user-class
    inspect http allow-url-policy
  service-policy allow-user-url-policy interface inside
  HOW can the HTTPS traffic be also blocked in the above configuration? What am I missing?
  Thanks in advance for your help
  Juan

  Is it even possible for for MPF ASA to inspect and filter HTTPS traffic? I do not even see it in the options:
  (config)# class-map type inspect ?
  configure mode commands/options:
    dns   Configure a class-map of type DNS
    ftp   Configure a class-map of type FTP
    h323  Configure a class-map of type H323
    http  Configure a class-map of type HTTP
    im    Configure a class-map of type IM
    sip   Configure a class-map of type SIP

• WRT54G Bridges, VPN's, Captive Portals, etc. (Advanced FAQ)

  These questions are only in relation to the above Wireless Router (v6, FW-v1.02 [2010]) :
  1. What is an Ethernet Bridge (the basic authoritative definition), and besides gaming, what are they generally used for in a business setting?
  2. What are VPN settings in a Router used for, and can a VPN be configured on a remote PC without them?
  3.  Utilizing bridging, etc., can I utilize my WRT54G as a makeshift Range Expander as long as the primary router doesnt have WEP key requirements?  The current WIFI doesnt reach my PC, so I thought I could configure my router midway in hopes of extending the other routers' signal, via some kind of bridging if necessary.  Naturally, there would only be a wireless connection between routers.
  4.  How can I setup a simple Captive Portal on this router?
  If more expedient, provide any definitive links to answer these questions, preferrably at Cisco sites.  Thanks.

  Re 1. Where did you find this? The WRT is switch not a bridge. Technically, the switch does the same as the bridge, only better. It connects two or more ethernet segments and joins them into a single ethernet network.
  Re 2. The VPN settings are used when you have VPN connections running through the router (i.e. not as endpoint). If it's possible to connect without them depends on the kind of VPN you are trying to establish. Some will work and some won't unless you have enabled the corresponding passthrough.
  3. ethernet bridging and wireless bridging are completely different things. The WRT won't connect wirelessly to other routers.
  4. You can't.