WCCP V2 Question (Redirect https)

Similar Messages

• Can a WLC redirect HTTPS traffic in a CWA environment

  Hi Guys.
  Regarding with ISE, CWA and WLC, I 'm seeing that when you connect to the SSID and open your navigator, if the URL is an HTTPS URL the traffic is not redirected to the ISE Portal using CWA. I though that the WebAuth Proxy Redirection Port option of the WLC only works when It has the portal (LWA) but not in CWA.
  I only found information about the redirection of the traffic when is a HTTP connection (port 80).
  Is it possible to redirect HTTPS traffic in a CWA deployment??, most of my users use Google Chrome and, in some scenarios, any search using Gooogle is in HTTPS mode and the captive portal is not shown.
  Thanks.
  Best regards.

  No, the WLC is not able to redirect HTTPS pages.
  You can however add other ports(other than 80) that can be redirected incase of proxy etc.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Unable to use HTTPS proxy when redirecting HTTP/HTTPS via NAT

  I'm trying to get the WSA to work when redirecting HTTP and HTTPS traffic along the lines of the following:
  object network WSA-HOST
        host 10.0.210.2
  object network obj-10.0.1.0 subnet 10.0.1.0 255.255.255.0
  object service ORIG-HTTP-PORT
        service tcp destination eq www
  object service WSA-HTTP-DEST-PORT
        service tcp destination eq 8080
  object service ORIG-HTTPS-PORT
        service tcp destination eq https
  object service WSA-HTTPS-DEST-PORT
        service tcp destination eq https  << also tried 8080 etc.
  nat (inside,outside) source dynamic obj-10.0.1.0 interface destination static obj_any WSA-HOST service ORIG-HTTP-PORT WSA-HTTP-DEST-PORT
  nat (inside,outside) source dynamic obj-10.0.1.0 interface destination static obj_any WSA-PROXY-HOST service ORIG-HTTPS-PORT WSA-HTTPS-DEST-PORT
  This works just fine for HTTP, but with HTTPS I get the following response from the Ironport WSA:
  Based on your corporate access policies, access to this web site ( https://www.rbsdigital.com/ ) has been blocked.
  Notification codes:  (1, POLICY, UNKNOWN, 0x00000082, 1329750248.609, QAAAAAAAAAAAAAAAyf8AAP8AAAD/AAAAAAAAAAAAAAE=,
  https://www.rbsdigital.com/)
  The access log gives me the following:
  1329750248.602 404 10.0.4.140 NONE_SSL/200 0 TCP_CONNECT 10.0.210.2:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -
  1329750248.609 0 10.0.4.140 TCP_DENIED_SSL/403 1840 GET https://www.rbsdigital.com:443/ - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -
  If anyone has any idea why the WSA simply denies the connection instead of proxying it then I'd be grateful.
  The WSA and the decryption policies work fine in explisit mode.
  Thanks in advance!

  The policy doesn't require authentication. Now here are two tests I did, seconds apart, from the same client on 10.0.4.140:
  First one is where I use NAT as shown above:
  1329757052.027 118 10.0.4.140 NONE_SSL/200 0 TCP_CONNECT 10.0.210.2:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -
  1329757052.311 0 10.0.4.140 TCP_DENIED_SSL/403 1840 GET https://www.rbsdigital.com:443/ - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -
  Second test case is when I reconfigured the browser to explisitely use the WSA as a proxy on port 8080:
  1329757138.274 344 10.0.4.140 TCP_CLIENT_REFRESH_MISS_SSL/200 39 CONNECT tunnel://www.rbsdigital.com:443/ - DIRECT/www.rbsdigital.com - DECRYPT_WBRS_7-DefaultGroup-UK_Office-NONE-NONE-NONE-DefaultGroup -
  1329757138.566 200 10.0.4.140 TCP_CLIENT_REFRESH_MISS_SSL/200 39 CONNECT tunnel://www.rbsdigital.com:443/ - DIRECT/www.rbsdigital.com - DECRYPT_WBRS_7-DefaultGroup-UK_Office-NONE-NONE-NONE-DefaultGroup -
  Non-categorised stuff should be passed through:
  Global Policy
  Identity: All
  Pass Through: 1
  Monitor: 65
  Disabled
  Pass Through
  Any thoughts ?

• Is it possible to redirect https traffic to http in CSM?

  Hello,
  I have a requirement to redirect https traffic to http. Is it possible to do that in the CSM?
  In the CSM documentation all redirect examples/config etc refer only to http traffic so I am wondering if the other way around is supported as well.
  BTW I have already tried it on the CSM and it is not working. Everytime I try to reach the https url I get "ERROR_INTERNET_SECURITY_CHANNEL_ERROR" on http watch.
  Thanks for any help offered.
  Murtaza

  I don't have a config in hands for this.
  I have done it before and know this is feasible.
  The redirect is here :
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00802877f6.shtml
  Just change the vip to be only accessible by the SSLM.
  Create the appropriate redirect vserver.
  On the SSLM, send the decrypted traffic to the vip address and port.
  Just as if the Vip was a server.
  Gilles.

• How to redirect https traffic to captive portal?

  Any WLC controller model (8500/5508/2504/vWLC) version 7.3 and up..
  This is unusual scenario wherein clients have a default homepage to https://www.google.com (sample only)
  Typical http web redirection don't have any problem at all. When you open your browser and type http://www.google.com it will redirect to captive portal without any problem.
  Is there any way to redirect https traffic to captive portal as well?

  redirection only happen on http traffic, a feature request has been issued to have the redirection happen on https.
  please check the following
  CSCar04580
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCar04580
  Please make sure to rate correct answers

• Redirect HTTP 404 Error

  Hi,
  Is there anyone knows how to redirect HTTP 404 Error on OAS 4? For example, if the requested file doesnt exist, I have to redirect the request to a default page. Thanks for any help.

  <i>So the user actually sees a 404 - page not found error?</i><p>
  Yes, using a static session id in the apache rewrite rule causes the user to get a HTTP 404 - Page cannot be found error.
  Since owa_util.redirect_url is called directly after owa_cookie.send, the owa_util.redirect_url is using just the apex relative url, f?p=blahblahblah, which causes all the Host and DAD information (in our case, infotrek.er.usgs.gov/pls/apex/ to be dropped from the Location: header and sends the user to HOST/f?p=blah instead of HOST/DAD/f?p=blah, which causes the http 404 error.
  I did the test you asked:
  Header when relative URL is used:
  HTTP/1.1 302 Found
  Date: Thu, 23 Aug 2007 13:09:21 GMT
  Server: Oracle-Application-Server-10g/10.1.3.0.0 Oracle-HTTP-Server
  Location: f?p=190:1:2088586269224413
  X-DB-Content-length: 0
  Set-Cookie: WWV_PUBLIC_SESSION_TEST=99999999
  Connection: close
  Content-Type: text/html; charset=UTF-8Header when absolute URL is used:
  HTTP/1.1 302 Found
  Date: Thu, 23 Aug 2007 13:09:49 GMT
  Server: Oracle-Application-Server-10g/10.1.3.0.0 Oracle-HTTP-Server
  Location: http://infotrek.er.usgs.gov/pls/apex/f?p=190:1:2088586269224413
  X-DB-Content-length: 0
  Set-Cookie: WWV_PUBLIC_SESSION_TEST=99999999
  Connection: close
  Content-Type: text/html; charset=UTF-8The second condition is what we need to have happen, and we don't know if we can tinker with anything in apache, Apex, or the owa_util.redirect_url to make it happen. I can't use this fix within any application because <i>the user doesn't get that far</i>. He/she never makes it to the app--they get a Page Cannot be Found error and thinks our site is down.

• CNA question: enabled http is a must?

  Hi,
  I have a simple question: Enabled HTTP is a must for connect Cisco Network Assistant to a switch (for example Cat3560v2) or https access is enough?
  thx in advance!

  Hi Tivadar,
  IP HTTP server or HTTPS server needs to be enabled in order to allow the CNA to access the device. There are some more options you can configure.
  Have a look here (it is for the 4500 series):
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_network_assistant/version5_0/quick/guide/English/C4K_GSG.html
  I hope that helps :-)

• Redirect HTTP 404, 401 errors to custom html pages ?

  Does anyone know how to set up Weblogic 6.1 to TRAP and REDIRECT http 404, 401 etc error messages to custom predefined friendly html pages on the server ?? Here, WL takes http requests directly and outputs the results directly back to the browsers (not going through a proxy server like IPlanet or other web servers).
  So how do I trap HTTP error messages in WL and redirects them to my own custom error pages ??
  Help!

  Hi Aswin,
  Vintela libraries changed in SP3. Usually a 404 error means:
  - Typo in any of the xml tags (you can check opening it in IE)
  - Typo in the SPN (cannot be found). However, you mention seeing in stdout.log "credentials obtained" so it looks that's fine
  - If you are using keytab, comment those lines in web.xml and use the password in Tomcat > Java
  If nothing mentioned above solve the issue, I will suggest you to enable debug in Tomcat and post here the stdout.log
  Regards,
  Julian

• Redirect HTTP to HTTPS with Host Name Site Collections

  By using Alternate Access Mapping, its possible to redirect HTTP to HTTPS.
  as explained in this thread
  http://social.msdn.microsoft.com/Forums/en-US/eaab487a-bc94-4f06-981b-c62711764367/redirect-http-to-https-for-sharepoint-2013
  However what if I am using Host name site collections? My understanding is that the AAM will not work then... so how can I sure that 
  http://intranet.contoso.com is automatically redirected to https://intranet.contoso.com ?
  val it: unit=()

  This is not correct. You can't use URL rewrite with Host Named Site Collections in SharePoint. For URL rewrite to work you need to set bindings on web application which overrides Host Named Site Collection bindings in SharePoint (you have to chose either
  web application bindings or let SharePoint handle that).
  If you want to use URL Rewrite you need to create new Site in IIS7 which will listen on port 80 and rewrite URLs to port 443. This will create small overhead but you can save on resources by leveraging HNSC and have minimal number of web applications on
  the server.
  ----Edit on 1/16/2014-----
  I stand corrected. Above statement is NOT CORRECT. You can indeed perform HTTP to HTTPS URL rewrite with Host Named Site Collections (HNSC) quite elegantly. You do not need any additional web applications. In essence you can
  build you whole farm with single web app on IIS (well two, since second one would be used for SharePoint services). Below is the example where I created single URL rewrite rule which handles any new host name provided they use same domain name (i.e. xxxxx.domain.com).
  I have 20+ HNSCs in single web application and all of them are using URL rewrite.
          <rewrite>
              <rules>
                  <rule name="Redirect to HTTPS" stopProcessing="true">
                      <match url="(.*)" />
                      <conditions>
                          <add input="{SERVER_PORT}" pattern="443" negate="true" />
                      </conditions>
                      <action type="Redirect" url="https://{HTTP_HOST}.domain.com/{R:1}" />
                  </rule>
              </rules>
          </rewrite>
  You need to install URL rewrite plugin and configure binding the following way on your web app in IIS. This will allow rewrite to work and SharePoint will be able to handle hoast header bindings internally.

• Problem redirecting HTTPS trafic using WCCP on a Cisco 6509

  Hi
  I am implementing af Ironport web scanning solution in a current network and i have som problems with HTTPS trafic.
  I am using the following command.
  ip wccp 70 group-list 9 password xxx accelerated
  interface Vlan2
        ip wccp 70 redirect in
  access-list 9 permit <Ironport IP>
  on the Ironport the "Dynamic service ID" of 70 is configuret to accept port 80 and 443 but i only recive port 80 trafic, but if i use windows proxy settings to direct the trafik i recieve trafic from both ports.
  So i think the problem is in my WCCP configuration.

  Can you reset the WCCP session between the Ironport and the 6K, SPAN the interface where the Ironport is connected, re-establish the WCCP session and collect the captures in pcap format, then upload them?!
  Can you get the show ip wccp commands from the 6K to check the WCCP status?

• ASR1002 WCCP L2 Forwarding Redirection setup

  Hi WCCP experts,
  Two questions please.
  According to
  IP Application Services Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000).
  • The following limitation applies to WCCP Layer 2 Forwarding and Return feature:
  Layer 2 redirection requires that content engines be directly connected to an interface on each WCCP router.
  Q1. Will it work if there is a L2 switch between the WCCP router and conte engines?
  Right now we have the WCCP ASR1002 router connected to a L2 switch trunk port. One of the sub-interfaces will be used for the connection to content engines.
  . For content engines running Application and Content Networking System (ACNS) software, use the wccp
  custom-web-cache command with the l2-redirect keyword to configure L2 redirection. For content
  engines running Cisco Wide Area Application Services (WAAS) software, use the wccp tcp-promiscuous
  command with the l2-redirect keyword to configure L2 redirection.
  Q2. I have Blue Coat as content engines. What configuration commands ASR1002 should have for L2 redirection?
  Thanks
  Cedar

  Hi Cedar,
  If i am not wrong the directly connected actually means that ASR and CE or in your case Blue coat proxy should be in the same subnet. If they are in the same subnet then of course you can use switch in between.
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/xe-3s/iap-xe-3s-book/iap-wccp.html#GUID-CAE67F60-CD04-4134-9E7B-995E76608216
  Have a look at the link above and look at L2 redirection and return.
  Wccp customer-web-cache etc are all services and you can use any one or custom numbers as your network requirment. You can use 90 or web-cache which is for port 80 or 61, 62 etc.
  You can see the list of well known service groups.
  Regards,
  Kanwal

• Redirect HTTPS traffic to HTTP in Tomcat

  Hi,
  We are running SAP BI Platform 4.0 SP2 Patch 7, which runs on top of Tomcat 6.
  We have succesfully configured our iPads to connect to our SAP BusinessObjects server using HTTPS in internet. We have an application proxy that handles HTTPS and sends plain HTTP to the SAP BusinessObjects server.
  The problem is that same connection do not work when users are accessing our intranet, because the SAP BusinessObjects server only accepts HTTP requests in port 8080.
  I have seen that Tomcat allows automatic redirections from HTTP to HTTPS ( using redirecPort parameter in HTTP connector definition ).
  But is it possible the opposite, to switch automatically HTTPS to HTTP ?
  Regards,
  Joan

  Hi,
  At last we have activated HTTPS support in Tomcat. The idea was to avoid HTTPS in BOBJ servers to save CPU usage but after some tests we can afford it.
  So no redirections are needed and the question is solved.
  Thanks,
  Joan

• Redirecting http traffic to the proxy server

  Hi,
  We have a requirement to divert web traffic to blue coat proxy through firewall. Below is the setup
  Requirement:
  We need to divert web traffic from 10.20.200.0/23 [DMZ-STAFFNET] and point it to Bluecoat proxy to process the packets.
  Now that ASA doesn't support PBR to accomplish this, how can we accomplish this ? 

  Hi,
  To list one limitation that you might see in your scenario , You would only be able to redirect the subnets to the proxy from those subnets which are physically behind the interface where the WCCP server resides only. i.e. UNTRUST
  Now , talking about the NAT , why don't you try this NAT if you don't want to NAT the Source part of the Traffic:-
  (DMZ-STAFFNET) to (bluecoat) source static DMZ-STAFFNET DMZ-STAFFNET destination static internet proxy-server service original-http proxy-8080
  Also , ASA now supports Policy Based routing from ASA 9.4.1 :)
  Thanks and Regards,
  Vibhor Amrodia

• How do you redirect HTTP requests to HTTPS?

  Update to my question:
  My original question didn't include all of the complexity of what I'm trying to do.
  I have a virtual server with two listening ports, 80 and 443. I have a certificate installed for port 443 and that works fine when I specifically type in https://myserver
  I also have a reverse proxy setup for a URI- /myapp -> remoteserver.
  I'd like to configure my webserver to do a redirect from /myapp to the URL https:/myserver/myapp
  and then have the reverse proxy kick and send me over to my remote server.
  Everything works fine if I browse to https://myserver/myapp. I just want for requests from http://myserver/myapp to be turned into https://myserver/myapp before the reverse proxy takes effect.
  Any ideas?
  Thanks-
  Edited by: bisbell on Sep 13, 2010 12:16 PM

  It would go into whichever obj.conf file is specified for this virtual server (probably <server>-obj.conf, but double-check your server.xml to be certain).
  I tend to process redirects early in the obj.conf. I usually try to have them processed before the other NameTrans statements. Here's how I've done it with other kinds of conditionals:
  <Object name=default>
  <If $urlhost = "www.foo.baz.com">
  NameTrans fn="redirect" from="/" url-prefix="http://foo.baz.com/"
  </If>In my case someone had created published a link to my server with a FQDN that was incorrect. Since they had done it in printed material a fix for them was not trivial. To address the problem I created a DNS entry that matched their typo, and created the redirect here to bounce from the bad FQDN to the proper FQDN. You're doing basically the same thing, except you want to redirect accesses to a particular URI that are not SSL enable to the same URL with SSL.
  Please note that I haven't checked any of the syntax I gave you in the prior post. I already see one typo (~= should be =~). The variables being evaluated should be checked for correctness too (e.g. security!="true" might in fact be something like "not defined $security").
  Check the docs. :)

• WAAS WCCP 6500 ACL Redirection

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hi All
        I'm sure I'm missing something simple here on a new install and I hope some one can point it out easily.  I implemented the following config which worked except it understandably broke connections as everything got redirected.  I'm running the WCCP config on a 6500 running 12.2(18) SXF
  This config showed total redirected packets climbing sharply in a 'show ip wccp' on the 6500 but this config broke other things.
  WAE:
  interface GigabitEthernet 1/0
  ip address 10.254.0.251 255.255.255.248
  ip default-gateway 10.254.0.249
  wccp router-list 1 10.254.0.249
  wccp tcp-promiscuous router-list-num 1 l2-redirect mask-assign
  6500:
  ip wccp 61
  ip wccp 62
  interface Vlan<vlans to be accelerated>
  description Local VLAN to be accelerated
  ip wccp 61 redirect in
  interface Vlan <WAAS vlan>
  description WAAS Devices(CM and WAE)
  ip address 10.254.0.249 255.255.255.248
  interface Vlan <Vlan for WAN transit>
  description Incoming WAN VLAN
  ip wccp 62 redirect in
  To try and limit redirection to just LAN space I swapped this:
  ip wccp 61
  ip wccp 62
  for this:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Ip access-list ext WAAS_Inbound
    Permit ip 10.22.0.0 0.0.255.255 10.0.0.0 0.0.255.255
  Ip access-l ext WAAS_Outbound
  Permit ip 10.0.0.0 0.0.255.255 10.22.0.0 0.0.255.255
  Ip wccp 62 redirect-list WAAS_Inbound
  Ip wccp 61 redirect-list WAAS_Outbound
  Once I did this, 'show ip wccp'  on the 6500 stopped showing redirected packets but did start showing packets being denied redirect.  Optimization stopped(according to the GUI) and I saw no hits on the access-lists(should I?).
  Thanks for your help in advance.

  A fews questions/comments:
  What type of Supervisor are you using?
  What is the exact version of software you are using?
  The fact that the 'packets redirected' counter is incrementing is a bad thing on the 6500.  It means that the redirection is happening in software.
  Can you also provide the output from the following commands:
  sh ip wccp
  sh ip wccp 61 det
  sh ip wccp 62 det
  Thanks,
  Zach