Otv filtering ssl traffic?

Similar Messages

• URL filtering ACE after description of SSL traffic

  We currently have a Cisco CSS11501 which we have configured with SSL offloading.
  We offload the SSL traffic and after description of the ssl traffic we perform URL filtering.
  Can the Ace 4710 Appliance do the same?
  I have attached the current configuration of the css.
  Regards,
  Richard

  With the below config
  Traffic matching 10.10.10.10:443 will be SSL offloaded and then
  will be loadbalanced using rservers in Serverfarm "APP1-SFARM" if
  the request includes "/matchthis".
  ssl-proxy service APP1-SSL-PROXY
  key default-key.pem
  cert default-cert.pem
  class-map match-all APP1-443-VIP
  2 match virtual-address 10.10.10.10 tcp eq https
  class-map type http loadbalance match-any APP1-URLMAP
  2 match http url /matchthis.*
  policy-map type loadbalance first-match APP1-Policy
  class APP1-URLMAP
  serverfarm APP1-SFARM
  policy-map multi-match VIPS-VLAN79
  class APP1-443-VIP
  loadbalance vip inservice
  loadbalance vip icmp-reply active
  loadbalance policy APP1-Policy
  ssl-proxy server APP1-SSL-PROXY
  HTH
  Syed iftekhar Ahmed

• Is it recommended to scan SSL traffic

  Depends on your company policy and provision of services
  If you are in a highly regulated industry where web use is pinned down to work use only then yes you should be.
  If you allow different devices on your network that arent managed it can be an issue deploying the intermediate certs needed
  In more liberal working environments it can create staff "privacy" issues if you are intercepting their banking transactions, facebook posts and amazon purchases

  We are using McAfee web filtering devices, where I have the option of scanning SSL traffic, I know and understand the SSL technology but still have a question in my mind, so it is better to get some suggestions. 
   Any suggestions will be highly appreciated.
  This topic first appeared in the Spiceworks Community

• Packet filtering and traffic shaping during peak h...

  I play the online game World of Tanks and an currently exteriancing severe lagg and disconnects, the problem does not appear to be with the game/service provider but with BT, i need to know does BT  use "packet filtering" and "traffic shaping" during peak hours and if so why has it suddenly started.
  This game use's P2P to keep the latency down for players so have been advised to contact BT and ask them are they limiting these types of connections.
  Most games do not use these types of connections, but World of Tanks one does and again,been told BT just don't like them, due to the amount of connections they attempt to forge in order to have a stable latency.
  I need to know if this is going to continue as pay to play the game, therefore would have to consider changing my ISP to virgin who dont  use "packet filtering" and "traffic shaping" during peak hours .
  Quick advice would be appreciated.

  It's absolutely horrible. i turned off wifi all other devices and every other open program just to reduce my latency for 120ms to 80ms.
  Still suffer from huge packet loss.
  It would be absolutely horrible if they have started throttling worldoftanks.eu servers. Phone support is no help all they torld me to do is restart my router
  I hope this is fixed soon. There are many posts on the WoT eu official forums and everyone that is effected appears to be a BT customer.
  Some have mentioned it could be the damaged undersea cable.
  I don't have any problems with torrents being throttled or anything like that. only worldoftanks.eu being throttled.

• ACE Best Sticky Method for SSL Traffic

  Hi, With ACE 4710 running serverfarms primarily running SSL traffic, what is the best method for configuring stickiness. Here are some parameters:
  1) low volume sites, 2 real servers
  2) ACE _will not_ do SSL offloading
  3) Balancing HTTPS requests
  4) Many versions of HTTP clients
  5) Currently running ACE A1 code
  I am thinking of:
  1) TCP Header | HostID inspection
  2) SSL-session ID (not good if re-key often though)
  3) Any suggestions?
  many thx,
  WR

  Hi Will,
  You can see a comple configured example for your perusal in this regard for
  Configure ACE Module for End to End SSL Termination
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
  And Many more here regarding
  Data Center Application Services Configuration Examples:
  http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples
  Hope these configuration examples will be useful to you.
  Sachin Garg

• Cisco CSS as non-HTTPS SSL-traffic terminator

  Hi!
  Does anybody know is it real to use Cisco CSS as SSL-traffic terminator. I need to terminate non-HTTPS SSL-traffic on this device (i.e. SSL-encrypted sessions of any particular TCP-based application-layer protocol, not https)? If not, is there any CISCO device capable of doing such a job?
  Regards, Amir

  Hi!
  Thank you very much for your reply.
  I know about the S model - as per my post - but unfortunately I have realized after making the purchase.
  Can you please help me with the following issue: my unit is not able to boot from FTP, even if I follow up the CISCO official documentation for that version (I issue all the commands as in the manual). More than that, if I setup the Primary Boot Configuration and then I want to check it up there is nothing in that field. The Secondary Boot Configuration keeps its settings and after the Primary failure it will try the Network Booting but with Failed status - returning me to the OffDM.
  I mention that I am using the OffDM because the unit I bought has no Flash Card.
  Also I am not sure how can I have a "network mounted filesystem" and in the meantime to use the FTP protocol;  setting up a NFS server wont provide me with Windows style absolute path like k:/.... as per CISCO official guide. Is that a plain-ftp generically called as Network File System??? "First, create these subdirectories on the FTP server, then copy the files from the boot image to the subdirectories"
  Is this linked with the fact that I am using a Linux box for my FTP Server? Can you please help me to understand what the following line from CISCO official guide means "A network boot is not supported on UNIX workstations"
  Thank you!

• SSL traffic management

  I am trying to setup a CSS w/SSL module for a company with 1 public IP and 3 internal Web servers (Time Management, Exchange and a employee portal) that require SSL connections. I am NATing all 443 traffic to a CSS VIP which is referencing a SSL-PROXY-LIST (frontend and backend ssl) Does anyone have a network setup like this working?
  I am having an issue with URL filtering on the unencrypted clear text traffic/second content rule lookup from the SSL module to the CRM during the Backend SSL setup. Any ideas .. This should be possible ..Correct?
  Thanks in advance ...

  Got it working ...

• Can I set up multiple instances on iPlanet on one server, one to handle clear-text traffic, and one to handle SSL traffic?

  Long story, but the iPlanet version is 4.1 SP9. We will be filtering users coming in remotely (via internet VPN or dialup) to the SSL implementation, the internal intranet users to the clear-text implementation... thanks!

  Hi,
  you can run more then one instance in iWS.
  like one for http://www.test.com:80(for TEXT) and other for https://www.test.com:6000
  (Note: you couldn't not able to use same port for different instance). I hope this may answer your question.
  Thanks,
  Daks.

• Filtering intervlan traffic

  Network topology
  We have a network setup with trust,untrust and dmz network using pix firewall.
  We also have a businness partner network coming on the fourth interface of pix firewall.
  There are multiple business partners and all are coming to our premises over private leased line .
  What we hv done is we have terminated all the business partners ethernet on a L3 switch and segreggated the traffic using vlans on L3 switch.
  We hv to filter the intervlan traffic from one business partners vlan to other business partners vlan.
  Kindly advice with config of access-list.
  IP Scheme:-
  Trust Network = 192.168.1.0/24
  Web Server in Inside = 192.168.1.1/24
  Untrust Network = 213.222.100.0/27
  DMZ Network = 192.168.2.0/24
  Mail server in DMZ = 192.168.2.1/24
  PIX network connecting L3 (Business Partner) = 192.168.128.0/28
  Business Partner 1 Subnet on L3 switch = 192.168.48.0/24
  Business Partner 2 Subnet on L3 switch = 192.168.28.0/25
  Business Partner 3 Subnet on L3 switch = 192.168.18.0/27
  Requirement:- We want to filter the traffic between business partners vlans,and allow business partners to access few servers in Inside and DMZ network.
  Pls find attached config for reference
  Regards

  What version of pix are you running?
  You can set up filtering on the 4000 but you can also do somthing with the pix as well that might facilitate this issue. pix ver 6.3 and better supports vlans and 802.1Q trunking so you might be able to create vlans on the pix and filter accordingly.
  Barring that, set up acl's that specifically allow only traffic from bp's to the servers required and apply those acl's to the l3 interfaces.
  Hope that helps
  Chris

• Prevent HTTPS proxy from intercepting SSL traffic

  We have a Flex + BlazeDS+Spring application built which runs on WebSphere6.1.
  We use the AMF secure protocol (SSL) for Communication. Inspite of using SSL ,tools like charles proxy are able to decrypt
  the communication and debug the AMF messages. How can we prevent the HTTPS proxies like charles proxy to avoid such Interceptions.

  Got it working ...

• IDS, detection of encrypted packets within non-SSL traffic streams?

  All...
  Here's the scenario:
  There's a host on the internal network that has a reverse shell to the outside world, and the packets being sent back to the attacker are encrypted, over a standard web (TCP/80) port - which is allowed by Websense or URL filter of choice.
  Can a custom signature be created to alert on the detection of encrypted packets / data streams over non-encrypted transmissions? We've found other IDS/IPS systems that we're able to build custom sigs to detect and alert on these streams, but are wondering if we can do that in within Cisco IDS/IPS?
  Please be specific if possible...let's assume the organization is using the latest version of Cisco IDS software.
  Thanks in advance...

  Have you got Sig 11233 series enabled?  It does, BTW, appear to exclude "WEBPORTS."  Maybe a copy could be made to exclude only TCP 443.

• Network traffic decryption for SSL Inspection

  Hi,
  Can ASA5545-IPS support network traffic decryption for SSL Inspection?
  Regards,
  Jhun

  When we inspect SSL traffic (on the CX module), the ASA acts as a proxy and has an SSL key of its own that is trusted by the user (i.e. issued by a CA in the user's Trusted Certificate store). That allows it to intercept, decrypt, inspect and re-encrypt the traffic.
  Here is a link to the User Guide section explaining in more detail.

• Filtered Traffic (port 80)

  I think that the term "attempt" might be misleading here.  Attempt to deliver music to a user who requested it is likely all that this is.

  Dear SpiceWorks Community,We currently use the Unified Communication (SMB) appliance for network services. It also filters incoming traffic. Recently, we've seen several attempts from a couple of locations. I'm not sure exactly how to best phrase my questions/concerns. Here is a snapshot of the log. Text079805: Jul 10 11:25:36.803: %SEC-6-IPACCESSLOGP: list 101 denied tcp 208.85.42.21(80) - xx.xx.xx.xx(57294), 1 packet 079806: Jul 10 11:25:58.519: %SEC-6-IPACCESSLOGP: list 101 denied tcp 208.85.41.43(80) - xx.xx.xx.xx(57297), 1 packet 079807: Jul 10 11:26:02.312: %SEC-6-IPACCESSLOGP: list 101 denied tcp 208.85.44.31(80) - xx.xx.xx.xx(57298), 1 packet 079808: Jul 10 11:26:04.040: %SEC-6-IPACCESSLOGP: list 101 denied tcp 69.194.244.13(80) - xx.xx.xx.xx(49794), 1 packet 079809: Jul 10 11:27:45.218: %SEC-6-IPACCESSLOGP: list 101 denied tcp...
  This topic first appeared in the Spiceworks Community

• Cannot send email via Hotmail through port 587 with Secure Connection (SSL) set

  Something is blocking my attempts to send email (with Outlook Express) via my hotmail.com account. The error I receive is as follows:
  Your server has unexpectedly terminated the connection. Possible causes for this include server problems, network problems, or a long period of inactivity. Account: 'Hotmail', Server: 'smtp.live.com', Protocol: SMTP, Port: 587, Secure(SSL): Yes, Error Number: 0x800CCC0F
  When Hotmail.com first changed over to a POP3 server (Sept 2009), I could send emails through them using port 587, which they require. But then something happened, with no changes on my part, to disable my ability to send.
  I have checked and rechecked my Outlook Express account settings. I can send email through another third-party mail account (at 1&1 Internet.com) using port 587, which does not require setting SSL to yes. I can also ping the Hotmail SMTP server via port 587 and receive a response from it.
  I connect to Verizon DSL via a Westell 327W modem/router. Clearly it is not blocking port 587 without SSL. Does it have the capability to block SSL traffic? Or is the Verizon server the culprit, not allowing emails to be sent via Hotmail.com?
  Two different computers on my LAN have the same problem sending emails via Hotmail.com. I have tried everything the Hotmail people have suggested; at this point they think it is an ISP problem, hence this post. This problem doesn't make sense to me and is driving me crazy. Can anyone help me with this?
  Thanks.

  You can still have your reply address set to your hotmail address. And you don't have to really remember to do anything. Configure your client for the HOTMAIL account with Verizon's outgoing server. It will automatically send via Verizon. You don't reveal your verizon.net address, you are just using their server to transmit.
  If a forum member gives an answer you like, give them the Kudos they deserve. If a member gives you the answer to your question, mark the answer as Accepted Solution so others can see the solution to the problem.
  "All knowledge is worth having."

• Upgrade Failed in WAE's from 4.1.5f to ver 4.2.3c with SSL Error.

  Hi all,
  I am in the process upgarding the OS from 4.1.5f to 4.2.3c . There was no issue upgarding the central manger.
  While upgarding the other WAE's from the CM and also from the CLI there is an Alarm as below.
          Alarm ID                 Module/Submodule               Instance
     1 mstore_key_retrieval      cms                          ssl_mstore_key
     2 mstore_key_failure        sslao                        mstore_key_failure
  Also the central manager shows that devices offline.
  Thanks for your help
  Dhana

  Hi Dhana,
  Please apply following commands from CLI on the WAEs that are hsowing up this error:
  1. cms disable on WAE. commnd: CM deregister OR CMS deregister force
  2. delete the device from CM
  4.Apply following commands to WAE:
  WAE-674-1(config)#no accelerator ssl  enable
  Disabled ssl accelerator.
  WAE-674-1(config)#end
  WAE-674-1#crypto pki managed-store initialize
  All certificate/private keys in SSL managed store will be deleted and optimized SSL traffic will be interrupted. Are you sure you want to continue(yes/no)? [no]:yes
  SSL managed store token file not present. Continuing with deletion of certificates in SSL managed store
  Restarting SSL accelerator. Done.
  WAE-674-1#conf t
  WAE-674-1(config)# accelerator ssl  enable
  Enabled ssl accelerator
  WAE-674-1(config)#cms enable
  Hope this helps.
  Regards.
  PS: Please mark this Answered, if it resolves the issue.