Redirect / Block non https traffic

Similar Messages

• ISA570 Block Non-HTTP Access by FQDN instead of IP Address

  Does anyone know a way to block any access to a site by FQDN instead of its ip address on the ISA500 series devices?  I know you can block website access with Web URL filtering using FQDNs, but what it you want to block non-HTTP traffic to a site that has either multiple IPs or dynamic IPs?  I typically use  Address Management to setup sites that I want to limit or block, but you have to define specific IPs or ranges and that doesn't always work especially if host IPs are dynamic.   Also, host static IPs can change over time so even if you define them in Address Management you have to periodically audit them to make sure they are still correct.
  This is not only an issue with blocking sites, but also in trying to define QoS policies as those use addresses defined in Address Management which again use specific IPs or ranges.  I am just trying to find a more reliable, long term, method of doing these types of management activities on the ISA500 devices.
  Thanks for any advice.

  I am pretty sure you cannot do this on ISA.  I think you could use opendns.com to accomplish blocking non-http sites by FQDN.  You could do blocking and QOS by FQDN  with what Cisco generally considers the replacement for this product, the Meraki MX60.

• Redirecting Non-http traffic

  Gilles,
  we are running GSLB between two sites.
  Is it possible to do redirect non-http traffic(Ex- SFTP service) when there is a failure of the services at one site.
  Thanks in advance

  Gilles,
  Thanks for your response.
  As far as the option 2- could you please tell whether the mentioned configuration will work or do i need to make changes.
  Site A
  service remote_site_vip
  11.1.1.1
  keepalive type icmp
  active
  content 1
  vip address 10.1.1.1
  port 8443
  add service 1
  add service 2
  primarysorryserver remote_site_vip
  active
  ****GROUP***
  group redirect
  vip address 10.1.1.1
  add destination service remote_site_vip
  active
  Site B
  service remote_site_vip
  10.1.1.1
  keepalive type icmp
  active
  content 1
  vip address 11.1.1.1
  port 8443
  add service 1
  add service 2
  primarysorryserver remote_site_vip
  active
  ****GROUP***
  group redirect
  vip address 11.1.1.1
  add destination service remote_site_vip
  active
  Thanks in advance

• Redirect AIR app http traffic to SOCKS server

  Hi there,
  I have an AIR app creating an SSH tunnel/SOCKS5 using a JAVA class via Native process, that so far works perfect but I need to redirect all the http requests from the AIR to the SOCKS server, can this be done via Socket/ServerSocket?? any exmaples?
  Thanks
  MArcos

  First things first - WS6.1sp4 is very old. You should upgrade to the latest SP. There are security problems that have been fixed in the years since SP4 was released.
  <Client match="none" security="true">
  NameTrans fn="redirect" from="/" url-prefix="https://www.example.com"
  </Client>This would probably work. <Client security="false"> might work. I'm not positive if Security is holding a Boolean value and this is the right way to test for it, but some quick experimentation should be able to validate the solution.
  Basically what you're trying to do is test for whether the request is secure or not and, if it is not, redirect the browser to the same URI but on a new protocol (https).
  You could also have two obj.conf files. One could be attached to the Port 80 listen socket and do nothing but redirect anything that comes in to the Port 443 listen socket.

• Non http GSLB with failover pairs in each DC

  Hi guys,
  I'm fairly confident that it's possible to use GSLB between two datacenters for non http traffic. My question is, can you do this while having redundant CSS in each datacenter?
  Thanks

  Just to make sure I understand...
  You can either configure box-to-box redundancy or VIP redundancy within the datacenter (locally) -- not both. Between the datacenters you use GSLB.
  YOu mentioned that the easiest solution on the local level would be box-to-box, but could you use vip redundancy locally if you still wanted local services to be redundant within each datacenter? Basically, can you mix it so that you have some services redundant across datacenters, but other services redundant within datacenters?
  Thanks again,

• SG300 Redirect HTTP Traffic to Proxy

  Dear Cisco Community,
  We have the following setup
  1 x SG300 Switch in Layer 3 Mode
  VLAN 100 (Management VLAN)
  VLAN 200 (Data VLAN for Internet Users)
  The SG300 has an IP4 Interface in each VLAN:
  100: 10.1.1.254 / 24
  200: 10.1.2.254 / 24
  The internet gateway (Zyxel USG-100) is located in VLAN 100.
  In order to restrict the web browsing acitivites, we're in the process of implementing a Proxy server (GFI Webmonitor).  Is it possible, to redirect all HTTP and HTTPS traffic which arrives at the SG300's VLAN200 IP interface to the proxy server?  I was thinking of a static route, but then this would apply to all traffic.  Another option would be to block port 80/443 traffic using an ACL I suppose=
  Any input will be highly appreciated, thank you!
  Kind regards,
  Romeo

  Hi Mohamad,
  I've seen this done in slightly different ways.  One way is at the very bottom of the following examples from the Cisco.com CSM-S config guide:
  CSM-S Configuration Examples
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/cfgxpls.html
  Another way is like this:
  serverfarm REDIRECT
    nat server
    no nat client
     redirect-vserver REDIRECT
      webhost relocation https://www.example.com/
      inservice
  serverfarm SSL_DC
    no nat server
    no nat client
    real 192.168.78.36 local
     inservice
  vserver VSERVER_80
    virtual 192.168.78.35 tcp 80
    serverfarm REDIRECT
    persistent rebalance
    inservice
  vserver VSERVER_443
    virtual 192.168.78.35 tcp 443
    serverfarm SSL_DC
    persistent rebalance
    inservice
  Hope this helps get you started.
  Sean

• WSA blocking HTTPS traffic -allowing HTTP

  We have two S170 WSA appliances configured as Guest Wi-Fi Internet proxy servers.  The local network design is as follows:
  WLC5508 (Foreign)     >>     WLC5508 (Anchor)     >>     ACE20 Context     >>     WSA 170     >>     FWSM     >>     Internet
  Guest traffic is authenticated via WCS using RADIUS but is disabled for now.
  Clients associate to SSID, receive IP address via local DHCP scope on anchor WLC and forward all traffic to DFWG which is ACE20 interface.
  ACE20 has specific class-maps for public DNS use and loadbalance policy-map which forwards all other traffic (excluding DNS) to WSA.
  HTTP traffic works fine, HTTPS traffic fails.  The HTTPS proxy service uses a local self-signed certificate for initial decryption of the session. The browser and WSA negotiates to use TLSv1 then the error below is shown.
  Fails
  57666018.658 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54930 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
  1357666018.760 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54931 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
  1357666018.799 0 192.168.244.1 TCP_DENIED_SSL/403 0 GET https://post.packetconsulting.com:443/owa - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 1 cs-auth-group= - c-port= 54931 cs-bytes= 598 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; InfoPath.2; Tablet PC 2.0; MS-RTC LM 8)" cs-referer= - cs-cookie= -
  I have seen this error posted before but no resolution.  I'm sure this is a config problem, but cannot figure why or where!
  Any ideas, thoughts or help would be great...
  Cheers

  Hi axa,
  This is an access policy blocking the SSL traffic based on the TCP_DENIED_SSL / 403. Also I would suspect that you do not have HTTPS proxy enabled which would be required since your not using port 80 for 443 traffic. I would recommend opening a ticket with the WSA Content Security Team.
  Sincerely,
  Erik Kaiser
  WSA CSE
  WSA Cisco Forums Moderator
  Message was edited by: Erik Kaiser

• Is it possible to redirect https traffic to http in CSM?

  Hello,
  I have a requirement to redirect https traffic to http. Is it possible to do that in the CSM?
  In the CSM documentation all redirect examples/config etc refer only to http traffic so I am wondering if the other way around is supported as well.
  BTW I have already tried it on the CSM and it is not working. Everytime I try to reach the https url I get "ERROR_INTERNET_SECURITY_CHANNEL_ERROR" on http watch.
  Thanks for any help offered.
  Murtaza

  I don't have a config in hands for this.
  I have done it before and know this is feasible.
  The redirect is here :
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00802877f6.shtml
  Just change the vip to be only accessible by the SSLM.
  Create the appropriate redirect vserver.
  On the SSLM, send the decrypted traffic to the vip address and port.
  Just as if the Vip was a server.
  Gilles.

• Can a WLC redirect HTTPS traffic in a CWA environment

  Hi Guys.
  Regarding with ISE, CWA and WLC, I 'm seeing that when you connect to the SSID and open your navigator, if the URL is an HTTPS URL the traffic is not redirected to the ISE Portal using CWA. I though that the WebAuth Proxy Redirection Port option of the WLC only works when It has the portal (LWA) but not in CWA.
  I only found information about the redirection of the traffic when is a HTTP connection (port 80).
  Is it possible to redirect HTTPS traffic in a CWA deployment??, most of my users use Google Chrome and, in some scenarios, any search using Gooogle is in HTTPS mode and the captive portal is not shown.
  Thanks.
  Best regards.

  No, the WLC is not able to redirect HTTPS pages.
  You can however add other ports(other than 80) that can be redirected incase of proxy etc.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• How to redirect https traffic to captive portal?

  Any WLC controller model (8500/5508/2504/vWLC) version 7.3 and up..
  This is unusual scenario wherein clients have a default homepage to https://www.google.com (sample only)
  Typical http web redirection don't have any problem at all. When you open your browser and type http://www.google.com it will redirect to captive portal without any problem.
  Is there any way to redirect https traffic to captive portal as well?

  redirection only happen on http traffic, a feature request has been issued to have the redirection happen on https.
  please check the following
  CSCar04580
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCar04580
  Please make sure to rate correct answers

• Cisco CSS as non-HTTPS SSL-traffic terminator

  Hi!
  Does anybody know is it real to use Cisco CSS as SSL-traffic terminator. I need to terminate non-HTTPS SSL-traffic on this device (i.e. SSL-encrypted sessions of any particular TCP-based application-layer protocol, not https)? If not, is there any CISCO device capable of doing such a job?
  Regards, Amir

  Hi!
  Thank you very much for your reply.
  I know about the S model - as per my post - but unfortunately I have realized after making the purchase.
  Can you please help me with the following issue: my unit is not able to boot from FTP, even if I follow up the CISCO official documentation for that version (I issue all the commands as in the manual). More than that, if I setup the Primary Boot Configuration and then I want to check it up there is nothing in that field. The Secondary Boot Configuration keeps its settings and after the Primary failure it will try the Network Booting but with Failed status - returning me to the OffDM.
  I mention that I am using the OffDM because the unit I bought has no Flash Card.
  Also I am not sure how can I have a "network mounted filesystem" and in the meantime to use the FTP protocol;  setting up a NFS server wont provide me with Windows style absolute path like k:/.... as per CISCO official guide. Is that a plain-ftp generically called as Network File System??? "First, create these subdirectories on the FTP server, then copy the files from the boot image to the subdirectories"
  Is this linked with the fact that I am using a Linux box for my FTP Server? Can you please help me to understand what the following line from CISCO official guide means "A network boot is not supported on UNIX workstations"
  Thank you!

• Redirecting all HTTP traffic to HTTPS that will reverse proxy specific URI

  -- Requirement --
  I have a Sun web server 6.1 SP4 that sits in a DMZ that must securely reverse proxy traffic to an internal application server listening on 443.
  The web server instance has two listen sockets, 80 and 443.
  The web server instance must accept traffic on port 80 but re-direct it to 443 so all subsequent traffic with the client happens over HTTPS.
  HTTPS traffic for "www.mydomain.com/myapp/" must be reverse proxied to the internal app server, "https://myapp.mydomain.com/myapp/".
  -- Current set-up --
  The server reverse proxies both HTTP and HTTPS traffic with the indicated URI.
  How can I constrain the reverse proxying to HTTPS traffic?
  Thanks for your help,
  Jez

  Thanks Chris that worked perfectly.
  Aside
  Before your solution I had (unsuccessfully) tried the following obj.conf directive
  <Client security="false">
  NameTrans fn="redirect" from="/" url-prefix="https://www.mydomain.com/"
  </Client>However, it didn't work - is it not possible to use the <Client security="false"> in this manner?

• ISE Guest Portal only redirect HTTPS traffic.

  I have a wireless deployment consisting of the following:
  5760 WLC & ISE 1.2
  Am I missing something here
  I have 4 similar deployments, and never had these issues:
  On Android / Apple devices, the guest portal does not pop up automatically &
  On a Windows Laptop only https traffic directs to the guest portal.
  Thanx

  i think you need to recheck the configuration also check the link for step by step config
  http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html

• RV042G redirects all https traffic to NAS

  Hi
  I've installed a rv042G, disabled dhcp, opened port 3389 (wan to lan), one port formwarding rule to terminal server.
  Now 48 hours later, when i try to login to the router, (https), I'm automatticaly redirect to the https site of the NAS (iomega ix-200).
  The nas is connected to a cisco sg100-24, which is connected to lan 1 on the router.
  What is going wrong ?
  Regards
  Stef

  Good morning
  Hi Stef, thanks for using our forum, my name is Johnnatan and I am part of the Small business Support community. You can go to the Web interface in your router and go to Firewall > General and enable the remote management option, you can also specify the port, it could be 80 or 443. Remember if you can specify a port different than 80, you have to type it after the ip address, like this;
  1.2.3.4 → your public ip address.
  8080  → your remote management port.
  1.2.3.4:8080  → Your ip in your browser
  I hope you find this answer useful, 
  “Please rate useful posts so other users can benefit from it”
  Greetings, 
  Johnnatan Rodriguez Miranda.
  Cisco Network Support Engineer.

• Intercepting all http traffic and forwarding to VIP on CSM?

  We would like to intercept all http traffic from clients from all vlans and redirect them to a VIP on the CSM for loadbalancing to 2 proxy servers. Is this possible? I can't seem to find a solution similar to our issue? Please help thanks!

  Thx Giles! Do you mean a policy that uses route-maps with next-hop? So would I point the next-hop address to the CSM client vlan IP? Do you have a support link that covers this in detail? Thx!