WSA blocking HTTPS traffic -allowing HTTP

Similar Messages

• Is it possible to redirect https traffic to http in CSM?

  Hello,
  I have a requirement to redirect https traffic to http. Is it possible to do that in the CSM?
  In the CSM documentation all redirect examples/config etc refer only to http traffic so I am wondering if the other way around is supported as well.
  BTW I have already tried it on the CSM and it is not working. Everytime I try to reach the https url I get "ERROR_INTERNET_SECURITY_CHANNEL_ERROR" on http watch.
  Thanks for any help offered.
  Murtaza

  I don't have a config in hands for this.
  I have done it before and know this is feasible.
  The redirect is here :
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00802877f6.shtml
  Just change the vip to be only accessible by the SSLM.
  Create the appropriate redirect vserver.
  On the SSLM, send the decrypted traffic to the vip address and port.
  Just as if the Vip was a server.
  Gilles.

• Redirecting all HTTP traffic to HTTPS that will reverse proxy specific URI

  -- Requirement --
  I have a Sun web server 6.1 SP4 that sits in a DMZ that must securely reverse proxy traffic to an internal application server listening on 443.
  The web server instance has two listen sockets, 80 and 443.
  The web server instance must accept traffic on port 80 but re-direct it to 443 so all subsequent traffic with the client happens over HTTPS.
  HTTPS traffic for "www.mydomain.com/myapp/" must be reverse proxied to the internal app server, "https://myapp.mydomain.com/myapp/".
  -- Current set-up --
  The server reverse proxies both HTTP and HTTPS traffic with the indicated URI.
  How can I constrain the reverse proxying to HTTPS traffic?
  Thanks for your help,
  Jez

  Thanks Chris that worked perfectly.
  Aside
  Before your solution I had (unsuccessfully) tried the following obj.conf directive
  <Client security="false">
  NameTrans fn="redirect" from="/" url-prefix="https://www.mydomain.com/"
  </Client>However, it didn't work - is it not possible to use the <Client security="false"> in this manner?

• CSG C5(14) alters HTTP traffic if http accounting is enabled

  Hi guys,
  I'm facing an issue with some mobile handsets that connect to the internet to gather information from the vendor website (http tcp 80).
  I have CSG 5.5(14) configured in this way:
  ip csg policy HTTP
  accounting type http customer-string INTERNET
  ip csg content WWW
  ip any tcp 80
  replicate
  vlan CLIENTVLAN
  policy HTTP
  inservice
  Mobile handsets receive an error while trying to connect.
  A trace (attached) shows an HTTP 502 (Bad Gateway).
  If I create a more specific content without policy (and consequently without http accounting) like the following, everything works:
  ip csg content MYCONTENT
  ip 84.0.0.0 255.0.0.0 tcp 80
  replicate
  vlan CLIENTVLAN
  inservice
  My problem is that the DNS resolves that hostname each time with different IP address in different subnets, so I don't have a safe way to map the webserver to this new content.
  My questions:
  Is there any method to safely map that destination without involving an huge amount of IP address that should match WWW content instead?
  Anyone knows what is the behavior of http accounting in CSG?
  Thanks in advance.
  Regards,
  Riccardo

  Each HTTP method must be initiated by the same endpoint that initiated the TCP connection.The CSG supports IP fragmentation for HTTP; Internet Message Application Protocol, version 4 (IMAP4); Post Office Protocol version 3 (POP3); Simple Mail Transfer Protocol (SMTP); Wireless Application Protocol (WAP) 2.0; and WAP 1.x, regardless of the order in which the flows arrive.Refer http://cisco.com/en/US/products/sw/wirelssw/ps779/products_configuration_guide_chapter09186a00806ab79a.html

• Redirect HTTPS traffic to HTTP in Tomcat

  Hi,
  We are running SAP BI Platform 4.0 SP2 Patch 7, which runs on top of Tomcat 6.
  We have succesfully configured our iPads to connect to our SAP BusinessObjects server using HTTPS in internet. We have an application proxy that handles HTTPS and sends plain HTTP to the SAP BusinessObjects server.
  The problem is that same connection do not work when users are accessing our intranet, because the SAP BusinessObjects server only accepts HTTP requests in port 8080.
  I have seen that Tomcat allows automatic redirections from HTTP to HTTPS ( using redirecPort parameter in HTTP connector definition ).
  But is it possible the opposite, to switch automatically HTTPS to HTTP ?
  Regards,
  Joan

  Hi,
  At last we have activated HTTPS support in Tomcat. The idea was to avoid HTTPS in BOBJ servers to save CPU usage but after some tests we can afford it.
  So no redirections are needed and the question is solved.
  Thanks,
  Joan

• Cisco ASA rely HTTP port to HTTPS without using CNAME DNS-record

  Hi all,
  could anyone tell me Is it possible to configure ASA so when customer rely http://domain.com Cisco ASA rely to https://domain.com (it's similar with CName function of domain record).
  P.S. resource of domain.com located behind ASA and DNS A-record rely on public ASA ip address
  Thank you.

  What version ASA are you running?
  If the server has both static public and private IPs you could use NAT to redirect HTTP traffic to HTTPS based on IP.
  object network PUBLIC_IP
    host 1.1.1.1
  object network REAL_IP
    host 2.2.2.2
    nat (inside,outside) static PUBLIC_IP http https
  Keep in mind that you will also need a NAT statement that maintains https to the server.
  Please remember to select a correct answer and rate helpful posts

• WSA access logging for HTTPS traffic

  Hi,
  We have a WSA s370 with AsyncOS  version 7.5.1-079 and it is configured as a transparent proxy.
  HTTPS proxy is enabled and all the URL categories set to pass through ( no decrytpting or monitoring ).
  Seems like the WSA does not generate logs for HTTPS transactions.
  I would like to know whether this is the expected behaviour.
  Is there any way that I can monitor HTTPS transactions without decrypting ?
  Thanks,
  Wipula.

  In addition to what Ken mentioned, the only way you can monitor HTTPS traffic without decrypting it will be done so using the IP address.
  In the access logs, you will see the following transaction when accessing an HTTPS site (google for example):
  TCP_CONNECT 74.125.101.50
  It will only report URLs once decrypted.  At that point, it is just HTTP.
  -Vance

• Transparent wsa and https traffic

  folks
  i've deploying a S300V in transparent mode and using wccp
  i have a single policy allowing http and https
  http works fine but https doesn't
  i can see both sets of requests go out through my outer firewalls but the https handshake doesn't get past the client hello
  the VM is being used on a guest wifi network so clients won't be authenticated, won't have a common root certificate and i don't want to decrypt traffic
  tac are telling me i need to enable the https proxy but i can't as clients won't have the root certificate required
  do i need to use https proxy?
  thanks to anyone taking the time to reply

  Ken,
  If I dont to decrypt HTTPS but still want the traffic to be inspected for URL and web reputation, do I need to upload a root certificate still? I would have assume not as I do not want to decrypt HTTPS but the GUI doesn't allow me to enal HTTPS Proxy without uploading a certificate; basically I cannot "Enable HTTPS Proxy" and submit without a cert.
  Basically what I just want to do is just pass through the HTTPS traffic to be check against the Access policies that the HTTP is being checked against.
  Is this viable? If so can you let me know how I can achieve the above?
  Thanks

• Redirect / Block non https traffic

  I have a quick question. Today I setup teaming 2.0 on SLES10.
  After customizing the SuSE firewall per the instructions everything is perfect. I then cut off non-secure port 80 traffic. Looked OK. I found that the email that teaming sends out is http://server, since I killed http traffic it's now broken. I tried changing the firewall rule to FW_REDIRECT="0/0,10.0.100.100,tcp,80,8443 to see if it would just redirect the port 80 traffic to 8443 on the server - but that did not work. Is their a place I can simply change the email to link to https://server?
  Any other thoughts?
  Cool product by the way!
  Tha
  Dennis

  Dennis,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• ASA MPF on HTTP traffic

  Hi, Im student who studying MPF atm, and I just wodnering about the parameters(request args regex, request body length etc..) that http provides, I was looking up and went through some resources and information on cisco website, but it was diffcult to understand all of theses parametes,
  how does ASA matches up with http traffic ?? is this parameters are located in HTML ??? (body java activ-x) , where does it located, ??
  thanks in advance, !!!

  Hello Terry,
  First thing to understand when we are talking about inspection on layer 5 to 7 ( In this case http) is that in order to work the client got to be on one ASA'Sinterface and the server needs to be on another one, this to allow the ASA to investigate the http session.
  Now you are asking about how the ASA is going to match that traffic, well with the policy map type inspect we will decide what to match (the http request, response,etc) , we can use different things in order to do it, just as an example we can create a regular expressions that matches www.cisco.com (\.cisco\.com)  and then let the ASA know that matches the header of the http packet using that particular rule and then we will be able  to  block cisco.com as an example.
  You can also match the URI, etc etc and then apply the rigth http inspection paramater.
  Please rate helpful posts.
  Regards,
  Julio

• MPF ASA for Web Filtering. Https traffic

  SOURCE: https://supportforums.cisco.com/docs/DOC-1268#Allow_specific_urls
  Hi all,
  I have the following configuration in my ASA  based on guidelines from the above source to allow only certain sites in my home and block all requests to http and https sites. However,requests to HTTP sites are being blocked but not to HTTPS. Only one host in the network can access all sites
  access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq www
  access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq https
  access-list WEBFILTER extended permit tcp any any eq www
  access-list WEBFILTER extended permit tcp any any eq https
  regex allowex1 “website1\.com”
  regex allowex2 “website2\.com”
  class-map type inspect http match-all allow-url-class
  match not request header host regex allowex1
  match not request header host regex allowex2
  class-map allow-user-class
  match access-list WEBFILTER
  policy-map type inspect http allow-url-policy
  parameters
  class allow-url-class
    drop-connection
  policy-map allow-user-url-policy
  class allow-user-class
    inspect http allow-url-policy
  service-policy allow-user-url-policy interface inside
  HOW can the HTTPS traffic be also blocked in the above configuration? What am I missing?
  Thanks in advance for your help
  Juan

  Is it even possible for for MPF ASA to inspect and filter HTTPS traffic? I do not even see it in the options:
  (config)# class-map type inspect ?
  configure mode commands/options:
    dns   Configure a class-map of type DNS
    ftp   Configure a class-map of type FTP
    h323  Configure a class-map of type H323
    http  Configure a class-map of type HTTP
    im    Configure a class-map of type IM
    sip   Configure a class-map of type SIP

• Redirect all traffic to http

  Hello,
  I'm running Server 3.1.2 on OSX10.9, I was wondering if there was a way to send all traffic to http versions of webpages and not allow https? 
  I'm working at a school and our current content filter only works with http and doesn't filter https. 
  Sorry if I'm not clear, I'm new at this whole sysadmin thing.

  Hi,
  You can do that with .htaccess  or php
  Here a link https://sites.google.com/site/onlyvalidation/page/301-redirect-https-to-http-on- apache-server
  A+

• Encapsulate ODBC traffice over HTTP???

  Does anyone know if it's possible to have an external client (in the internet) make an ODBC connection to a database that is behind a firewall which only allows HTTP traffic to pass through? I guess the question is, Is is possible to encapsulate ODBC traffic over the HTTP protocol so that it can pass through the firewall?
  Thanks in advance,
  John Sebastian

  Probably not easily, no.
  If the firewall allows arbitrary traffic on port 80, you could configure the Oracle database to accept connections on that port and configure the tnsnames.ora on the client machine to use port 80. This wouldn't go through HTTP, so if the firewall is actually analyzing the traffic, you'd be out of luck, but it would work if the port is wide open. Of course, it is a terrible idea from a security perspective-- opening up databases to connections over the internet is a recipe for pain and suffering.
  It is certainly possible to write an ODBC to HTTP proxy that converts an ODBC call into some sort of web service call and then write an HTTP to ODBC proxy that lives inside the firewall that translates the HTTP calls back into ODBC calls, but that is likely to be very slow. And a lot of code-- I'm not aware of any commercial utilities that do that sort of thing.
  Generally, the proper way to do something like this is to use Oracle Connection Manager (or something similar that is baked in to certain firewall products) to proxy the Oracle connection through the firewall. But that requires changing the firewall setup and/or installing additional software.
  Justin

• Force http traffic to specific interface

  Just setup a 2801 router. We have a Serial interface card on it connected to a T1 and eth1 connected to DSL. We want to force web traffic (http, https, ftp) to use the DSL connection. I tried a simple access-list to allow http to the DSL and deny to the T1, however it didn't seem to work. Then I noticed that in the SDM it has "default" rultes that always enable http. Do I need to disable the http server to get this access list to work or is there an easier way to force web traffic to a specific interface?
  Thanks in advance.

  I setup the route-map and access-list and applied it to FE 0/1 (DSL connection), however it still appears nothing is going through that interface. When I monitor it in the SDM, it shows 0% bandwidth usage.
  Just to double check I unplugged the DSL to see if web traffic stopped, but it was still going, I assume through the T1 at S 0/2/0.
  FE 0/0 goes to our fw, then to lan
  FE 0/1 goes to DSL
  S 0/2/0 goes to T1
  Here is my config:
  router#show run
  Building configuration...
  Current configuration : 4506 bytes
  ! Last configuration change at 10:29:45 MDT Fri Aug 4 2006 by admin
  ! NVRAM config last updated at 15:17:31 MDT Thu Aug 3 2006 by admin
  version 12.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  boot-start-marker
  boot system flash c2801-ipbasek9-mz.124-8.bin
  boot-end-marker
  security authentication failure rate 3 log
  security passwords min-length 6
  logging buffered 51200 debugging
  logging console critical
  enable secret 5 $1$EWDt$pvWzeNhilneb/EUJosxlv0
  no aaa new-model
  resource policy
  clock timezone MDT -7
  clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00
  no ip source-route
  ip cef
  ip tcp synwait-time 10
  no ip bootp server
  ip name-server 198.60.22.2
  ip name-server 198.60.22.22
  username admin privilege 15 secret 5 $1$TF47$aa8RLf18isZxIwjOKfdmZ.
  interface FastEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
  ip address 199.104.124.210 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip route-cache flow
  duplex auto
  speed auto
  no mop enabled
  interface FastEthernet0/1
  description $FW_OUTSIDE$$ETH-LAN$
  ip address 192.168.2.2 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip route-cache flow
  ip policy route-map toDSL
  duplex auto
  speed auto
  no mop enabled
  interface FastEthernet0/1/0
  interface FastEthernet0/1/1
  interface FastEthernet0/1/2
  interface FastEthernet0/1/3
  interface Serial0/2/0
  ip address 204.228.133.46 255.255.255.252
  interface Vlan1
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip flow egress
  ip route-cache flow
  ip route 0.0.0.0 0.0.0.0 204.228.133.45
  ip route 192.168.2.0 255.255.255.0 192.168.2.1
  no ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  logging trap debugging
  access-list 111 permit tcp any any eq www
  no cdp run
  route-map toDSL permit 1
  match ip address 111
  set ip next-hop 192.168.2.1
  control-plane
  banner login ^CAuthorized access only!
  Disconnect IMMEDIATELY if you are not an authorized user!^C
  line con 0
  login local
  transport output telnet
  line aux 0
  login local
  transport output telnet
  line vty 0 4
  exec-timeout 30 0
  privilege level 15
  login local
  transport input ssh
  transport output ssh
  line vty 5 15
  access-class 102 in
  privilege level 15
  login local
  transport input ssh
  scheduler allocate 20000 1000
  ntp clock-period 17178101
  ntp update-calendar
  ntp server 198.60.22.240 source Serial0/2/0
  end

• SG300 Redirect HTTP Traffic to Proxy

  Dear Cisco Community,
  We have the following setup
  1 x SG300 Switch in Layer 3 Mode
  VLAN 100 (Management VLAN)
  VLAN 200 (Data VLAN for Internet Users)
  The SG300 has an IP4 Interface in each VLAN:
  100: 10.1.1.254 / 24
  200: 10.1.2.254 / 24
  The internet gateway (Zyxel USG-100) is located in VLAN 100.
  In order to restrict the web browsing acitivites, we're in the process of implementing a Proxy server (GFI Webmonitor).  Is it possible, to redirect all HTTP and HTTPS traffic which arrives at the SG300's VLAN200 IP interface to the proxy server?  I was thinking of a static route, but then this would apply to all traffic.  Another option would be to block port 80/443 traffic using an ACL I suppose=
  Any input will be highly appreciated, thank you!
  Kind regards,
  Romeo

  Hi Mohamad,
  I've seen this done in slightly different ways.  One way is at the very bottom of the following examples from the Cisco.com CSM-S config guide:
  CSM-S Configuration Examples
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/cfgxpls.html
  Another way is like this:
  serverfarm REDIRECT
    nat server
    no nat client
     redirect-vserver REDIRECT
      webhost relocation https://www.example.com/
      inservice
  serverfarm SSL_DC
    no nat server
    no nat client
    real 192.168.78.36 local
     inservice
  vserver VSERVER_80
    virtual 192.168.78.35 tcp 80
    serverfarm REDIRECT
    persistent rebalance
    inservice
  vserver VSERVER_443
    virtual 192.168.78.35 tcp 443
    serverfarm SSL_DC
    persistent rebalance
    inservice
  Hope this helps get you started.
  Sean