SG300 Redirect HTTP Traffic to Proxy

Dear Cisco Community,
We have the following setup
1 x SG300 Switch in Layer 3 Mode
VLAN 100 (Management VLAN)
VLAN 200 (Data VLAN for Internet Users)
The SG300 has an IP4 Interface in each VLAN:
100: 10.1.1.254 / 24
200: 10.1.2.254 / 24
The internet gateway (Zyxel USG-100) is located in VLAN 100.
In order to restrict the web browsing acitivites, we're in the process of implementing a Proxy server (GFI Webmonitor).  Is it possible, to redirect all HTTP and HTTPS traffic which arrives at the SG300's VLAN200 IP interface to the proxy server?  I was thinking of a static route, but then this would apply to all traffic.  Another option would be to block port 80/443 traffic using an ACL I suppose=
Any input will be highly appreciated, thank you!
Kind regards,
Romeo

Hi Mohamad,
I've seen this done in slightly different ways.  One way is at the very bottom of the following examples from the Cisco.com CSM-S config guide:
CSM-S Configuration Examples
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/cfgxpls.html
Another way is like this:
serverfarm REDIRECT
  nat server
  no nat client
   redirect-vserver REDIRECT
    webhost relocation https://www.example.com/
    inservice
serverfarm SSL_DC
  no nat server
  no nat client
  real 192.168.78.36 local
   inservice
vserver VSERVER_80
  virtual 192.168.78.35 tcp 80
  serverfarm REDIRECT
  persistent rebalance
  inservice
vserver VSERVER_443
  virtual 192.168.78.35 tcp 443
  serverfarm SSL_DC
  persistent rebalance
  inservice
Hope this helps get you started.
Sean

Similar Messages

  • Can a WLC redirect HTTPS traffic in a CWA environment

    Hi Guys.
    Regarding with ISE, CWA and WLC, I 'm seeing that when you connect to the SSID and open your navigator, if the URL is an HTTPS URL the traffic is not redirected to the ISE Portal using CWA. I though that the WebAuth Proxy Redirection Port option of the WLC only works when It has the portal (LWA) but not in CWA.
    I only found information about the redirection of the traffic when is a HTTP connection (port 80).
    Is it possible to redirect HTTPS traffic in a CWA deployment??, most of my users use Google Chrome and, in some scenarios, any search using Gooogle is in HTTPS mode and the captive portal is not shown.
    Thanks.
    Best regards.

    No, the WLC is not able to redirect HTTPS pages.
    You can however add other ports(other than 80) that can be redirected incase of proxy etc.
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • Is it possible to redirect https traffic to http in CSM?

    Hello,
    I have a requirement to redirect https traffic to http. Is it possible to do that in the CSM?
    In the CSM documentation all redirect examples/config etc refer only to http traffic so I am wondering if the other way around is supported as well.
    BTW I have already tried it on the CSM and it is not working. Everytime I try to reach the https url I get "ERROR_INTERNET_SECURITY_CHANNEL_ERROR" on http watch.
    Thanks for any help offered.
    Murtaza

    I don't have a config in hands for this.
    I have done it before and know this is feasible.
    The redirect is here :
    http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00802877f6.shtml
    Just change the vip to be only accessible by the SSLM.
    Create the appropriate redirect vserver.
    On the SSLM, send the decrypted traffic to the vip address and port.
    Just as if the Vip was a server.
    Gilles.

  • How to redirect https traffic to captive portal?

    Any WLC controller model (8500/5508/2504/vWLC) version 7.3 and up..
    This is unusual scenario wherein clients have a default homepage to https://www.google.com (sample only)
    Typical http web redirection don't have any problem at all. When you open your browser and type http://www.google.com it will redirect to captive portal without any problem.
    Is there any way to redirect https traffic to captive portal as well?

    redirection only happen on http traffic, a feature request has been issued to have the redirection happen on https.
    please check the following
    CSCar04580
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCar04580
    Please make sure to rate correct answers

  • ISE Guest Portal only redirect HTTPS traffic.

    I have a wireless deployment consisting of the following:
    5760 WLC & ISE 1.2
    Am I missing something here
    I have 4 similar deployments, and never had these issues:
    On Android / Apple devices, the guest portal does not pop up automatically &
    On a Windows Laptop only https traffic directs to the guest portal.
    Thanx

    i think you need to recheck the configuration also check the link for step by step config
    http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html

  • Redirecting http traffic to the proxy server

    Hi,
    We have a requirement to divert web traffic to blue coat proxy through firewall. Below is the setup
    Requirement:
    We need to divert web traffic from 10.20.200.0/23 [DMZ-STAFFNET] and point it to Bluecoat proxy to process the packets.
    Now that ASA doesn't support PBR to accomplish this, how can we accomplish this ? 

    Hi,
    To list one limitation that you might see in your scenario , You would only be able to redirect the subnets to the proxy from those subnets which are physically behind the interface where the WCCP server resides only. i.e. UNTRUST
    Now , talking about the NAT , why don't you try this NAT if you don't want to NAT the Source part of the Traffic:-
    (DMZ-STAFFNET) to (bluecoat) source static DMZ-STAFFNET DMZ-STAFFNET destination static internet proxy-server service original-http proxy-8080
    Also , ASA now supports Policy Based routing from ASA 9.4.1 :)
    Thanks and Regards,
    Vibhor Amrodia

  • Redirect HTTPS traffic to HTTP in Tomcat

    Hi,
    We are running SAP BI Platform 4.0 SP2 Patch 7, which runs on top of Tomcat 6.
    We have succesfully configured our iPads to connect to our SAP BusinessObjects server using HTTPS in internet. We have an application proxy that handles HTTPS and sends plain HTTP to the SAP BusinessObjects server.
    The problem is that same connection do not work when users are accessing our intranet, because the SAP BusinessObjects server only accepts HTTP requests in port 8080.
    I have seen that Tomcat allows automatic redirections from HTTP to HTTPS ( using redirecPort parameter in HTTP connector definition ).
    But is it possible the opposite, to switch automatically HTTPS to HTTP ?
    Regards,
    Joan

    Hi,
    At last we have activated HTTPS support in Tomcat. The idea was to avoid HTTPS in BOBJ servers to save CPU usage but after some tests we can afford it.
    So no redirections are needed and the question is solved.
    Thanks,
    Joan

  • Redirect http traffic

    I have two web servers, web1 and web2. I would like to set up the two web servers in such a way that some requests are answered by web1. Anything else will be redirected to web2.
    Does anyone know how to set it up in iPlanet?

    Hi,
    This can't be done with iWS (like some requests are answered by web1 and some by web2).
    Probably if a loadbalancer has this feature, this is possible.
    So kindly check out if any 3rd party load balancer has got this feature.
    Thanks,
    Daks.

  • Capture http traffic between server and proxy

    Hi,
    I am not a solaris admin so I need some help to capture http traffic between proxy and server.
    I used 'snoop port 80' on my proxy server but this command gives me the traffic between client and proxy.
    PS: i do not have access to remote server.
    Thanks
    Linda

    You probably need this instead:
    snoop host server
    where server is the hostname of the server that you are trying to connect to.
    If you have multiple interfaces, you have to be sure you are snooping on the right interface.

  • WCCP V2 Question (Redirect https)

    Hello all
    I have been successful in implementing wccp in my multiple vlan environment.
    Router is Cisco 2921
    G0/0 - Internet
    G0/1 - Squid Proxy
    G0/2 - Clients in multiple vlans
    Here is the config:
    ip wccp web-cache redirect-list 120
    interface GigabitEthernet0/2.1
    encapsulation dot1Q 3
    ip address 172.16.1.1 255.255.255.0
    ip wccp web-cache redirect in
    ip nat inside
    interface GigabitEthernet0/2.2
    encapsulation dot1Q 2
    ip address 172.16.2.1 255.255.255.0
    ip wccp web-cache redirect in
    ip nat inside
    interface GigabitEthernet0/2.3
    encapsulation dot1Q 3
    ip address 172.16.3.1 255.255.255.0
    ip wccp web-cache redirect in
    ip nat inside
    access-list 120 remark REDIRECTION_CRITERIA
    access-list 120 deny   ip host 192.168.1.2 any
    access-list 120 permit tcp 172.16.1.0 0.0.0.255 any eq www
    access-list 120 permit tcp 172.16.2.0 0.0.0.255 any eq www
    access-list 120 permit tcp 172.16.3.0 0.0.0.255 any eq www
    access-list 120 deny   ip any any
    I have some questions:
    1) In the command "ip wccp web-cache redirect-list 120", "redirect-list 120" is not required since all vlans are clients.
    using  ip wccp web-cache redirect in under all subinterfaces alone would work.
    Am I correct ?
    2) How can I redirect HTTPS traffic to my squid proxy.

    Hello,
    1. "ip wccp web-cache redirect in"
    It would work if you squid proxy have another default gateway to internet.
    Otherwise the traffic from the SQUID is also forwarded. You have to use different interfaces for users and squid. On sabinterfeyse vlan SQUID you should not use a configuration wccp
    2. Web-cache permit only http. You must configuring Dynamic WCCP.
    some example:
    in global:
    ip wccp 120 redirect-list 120
    access-list 120 remark REDIRECTION_CRITERIA
    access-list 120 deny   ip host 192.168.1.2 any
    access-list 120 permit tcp 172.16.1.0 0.0.0.255 any eq www
    access-list 120 permit tcp 172.16.1.0 0.0.0.255 any eq 443
    access-list 120 permit tcp 172.16.2.0 0.0.0.255 any eq www
    access-list 120 permit tcp 172.16.2.0 0.0.0.255 any eq 443
    access-list 120 permit tcp 172.16.3.0 0.0.0.255 any eq www
    access-list 120 permit tcp 172.16.3.0 0.0.0.255 any eq 443
    access-list 120 deny   ip any any
    on interface:
    ip wccp 120 redirect in
    See link below for more information
    http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/12-4t/iap-wccp.html#GUID-5E9AE273-1AFD-4598-9325-85F8C822D168
    Best regards

  • Redirecting all HTTP traffic to HTTPS that will reverse proxy specific URI

    -- Requirement --
    I have a Sun web server 6.1 SP4 that sits in a DMZ that must securely reverse proxy traffic to an internal application server listening on 443.
    The web server instance has two listen sockets, 80 and 443.
    The web server instance must accept traffic on port 80 but re-direct it to 443 so all subsequent traffic with the client happens over HTTPS.
    HTTPS traffic for "www.mydomain.com/myapp/" must be reverse proxied to the internal app server, "https://myapp.mydomain.com/myapp/".
    -- Current set-up --
    The server reverse proxies both HTTP and HTTPS traffic with the indicated URI.
    How can I constrain the reverse proxying to HTTPS traffic?
    Thanks for your help,
    Jez

    Thanks Chris that worked perfectly.
    Aside
    Before your solution I had (unsuccessfully) tried the following obj.conf directive
    <Client security="false">
    NameTrans fn="redirect" from="/" url-prefix="https://www.mydomain.com/"
    </Client>However, it didn't work - is it not possible to use the <Client security="false"> in this manner?

  • Unable to use HTTPS proxy when redirecting HTTP/HTTPS via NAT

    I'm trying to get the WSA to work when redirecting HTTP and HTTPS traffic along the lines of the following:
    object network WSA-HOST
          host 10.0.210.2
    object network obj-10.0.1.0 subnet 10.0.1.0 255.255.255.0
    object service ORIG-HTTP-PORT
          service tcp destination eq www
    object service WSA-HTTP-DEST-PORT
          service tcp destination eq 8080
    object service ORIG-HTTPS-PORT
          service tcp destination eq https
    object service WSA-HTTPS-DEST-PORT
          service tcp destination eq https  << also tried 8080 etc.
    nat (inside,outside) source dynamic obj-10.0.1.0 interface destination static obj_any WSA-HOST service ORIG-HTTP-PORT WSA-HTTP-DEST-PORT
    nat (inside,outside) source dynamic obj-10.0.1.0 interface destination static obj_any WSA-PROXY-HOST service ORIG-HTTPS-PORT WSA-HTTPS-DEST-PORT
    This works just fine for HTTP, but with HTTPS I get the following response from the Ironport WSA:
    Based on your corporate access policies, access to this web site ( https://www.rbsdigital.com/ ) has been blocked.
    Notification codes:  (1, POLICY, UNKNOWN, 0x00000082, 1329750248.609, QAAAAAAAAAAAAAAAyf8AAP8AAAD/AAAAAAAAAAAAAAE=,
    https://www.rbsdigital.com/)
    The access log gives me the following:
    1329750248.602 404 10.0.4.140 NONE_SSL/200 0 TCP_CONNECT 10.0.210.2:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -
    1329750248.609 0 10.0.4.140 TCP_DENIED_SSL/403 1840 GET https://www.rbsdigital.com:443/ - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -
    If anyone has any idea why the WSA simply denies the connection instead of proxying it then I'd be grateful.
    The WSA and the decryption policies work fine in explisit mode.
    Thanks in advance!

    The policy doesn't require authentication. Now here are two tests I did, seconds apart, from the same client on 10.0.4.140:
    First one is where I use NAT as shown above:
    1329757052.027 118 10.0.4.140 NONE_SSL/200 0 TCP_CONNECT 10.0.210.2:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -
    1329757052.311 0 10.0.4.140 TCP_DENIED_SSL/403 1840 GET https://www.rbsdigital.com:443/ - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -
    Second test case is when I reconfigured the browser to explisitely use the WSA as a proxy on port 8080:
    1329757138.274 344 10.0.4.140 TCP_CLIENT_REFRESH_MISS_SSL/200 39 CONNECT tunnel://www.rbsdigital.com:443/ - DIRECT/www.rbsdigital.com - DECRYPT_WBRS_7-DefaultGroup-UK_Office-NONE-NONE-NONE-DefaultGroup -
    1329757138.566 200 10.0.4.140 TCP_CLIENT_REFRESH_MISS_SSL/200 39 CONNECT tunnel://www.rbsdigital.com:443/ - DIRECT/www.rbsdigital.com - DECRYPT_WBRS_7-DefaultGroup-UK_Office-NONE-NONE-NONE-DefaultGroup -
    Non-categorised stuff should be passed through:
    Global Policy
    Identity: All
    Pass Through: 1
    Monitor: 65
    Disabled
    Pass Through
    Any thoughts ?

  • Redirect all traffic to http

    Hello,
    I'm running Server 3.1.2 on OSX10.9, I was wondering if there was a way to send all traffic to http versions of webpages and not allow https? 
    I'm working at a school and our current content filter only works with http and doesn't filter https. 
    Sorry if I'm not clear, I'm new at this whole sysadmin thing.

    Hi,
    You can do that with .htaccess  or php
    Here a link https://sites.google.com/site/onlyvalidation/page/301-redirect-https-to-http-on- apache-server
    A+

  • Redirect / Block non https traffic

    I have a quick question. Today I setup teaming 2.0 on SLES10.
    After customizing the SuSE firewall per the instructions everything is perfect. I then cut off non-secure port 80 traffic. Looked OK. I found that the email that teaming sends out is http://server, since I killed http traffic it's now broken. I tried changing the firewall rule to FW_REDIRECT="0/0,10.0.100.100,tcp,80,8443 to see if it would just redirect the port 80 traffic to 8443 on the server - but that did not work. Is their a place I can simply change the email to link to https://server?
    Any other thoughts?
    Cool product by the way!
    Tha
    Dennis

    Dennis,
    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.
    Has your problem been resolved? If not, you might try one of the following options:
    - Visit http://support.novell.com and search the knowledgebase and/or check all
    the other self support options and support programs available.
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.novell.com)
    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.novell.com/faq.php
    If this is a reply to a duplicate posting, please ignore and accept our apologies
    and rest assured we will issue a stern reprimand to our posting bot.
    Good luck!
    Your Novell Product Support Forums Team
    http://support.novell.com/forums/

  • Redirecting Non-http traffic

    Gilles,
    we are running GSLB between two sites.
    Is it possible to do redirect non-http traffic(Ex- SFTP service) when there is a failure of the services at one site.
    Thanks in advance

    Gilles,
    Thanks for your response.
    As far as the option 2- could you please tell whether the mentioned configuration will work or do i need to make changes.
    Site A
    service remote_site_vip
    11.1.1.1
    keepalive type icmp
    active
    content 1
    vip address 10.1.1.1
    port 8443
    add service 1
    add service 2
    primarysorryserver remote_site_vip
    active
    ****GROUP***
    group redirect
    vip address 10.1.1.1
    add destination service remote_site_vip
    active
    Site B
    service remote_site_vip
    10.1.1.1
    keepalive type icmp
    active
    content 1
    vip address 11.1.1.1
    port 8443
    add service 1
    add service 2
    primarysorryserver remote_site_vip
    active
    ****GROUP***
    group redirect
    vip address 11.1.1.1
    add destination service remote_site_vip
    active
    Thanks in advance

Maybe you are looking for

  • Can't open CS2 image with photoshop

    I had this camera, Canon 50d, for little more than two years. Now it is time to start working with Raw image and can't open the image with Photoshop. But I could open with EOS utility but want to work with Photoshop. thanks for reading and advice ple

  • How do I delete a bc gurus template on my partner site?

    Hi, I purchased the bc gurus uguru-verticalmarketing-au1 template and imported it on my partner site but now I would like to remove it all and create my own custom site.  How is the best way to do this? Thanks, Tammy

  • End of support for AD functional level?

    Has anyone ever seen something from Microsoft regarding their support policy for AD functional levels? Should one assume that since Windows Server 2003 support will end in July 2015, that this would indicate that the "Windows Server 2003" domain and

  • Mac pro finder relaunch by itself when running CS2

    Hi, I got my Mac Pro running on Leopard Jan this year. Not long it starts to have issues. When I am in the midst of doing work cs2, the program suddenly shuts down abruptly, leaving a blue screen for abt ten secs and the other programs (eg. itunes an

  • Imovie 10.0.4 duplicating a project.

    Imovie 10.0.4, mavericks 10.9.4. I need to duplicate a project. Apparently, older versions of iMovie had such a command under the File menu. 10.0.4 does not (as well as missing other good old things). My workaround was 1. select all of old project (c