WSA blocking HTTPS traffic -allowing HTTP
We have two S170 WSA appliances configured as Guest Wi-Fi Internet proxy servers. The local network design is as follows:
WLC5508 (Foreign) >> WLC5508 (Anchor) >> ACE20 Context >> WSA 170 >> FWSM >> Internet
Guest traffic is authenticated via WCS using RADIUS but is disabled for now.
Clients associate to SSID, receive IP address via local DHCP scope on anchor WLC and forward all traffic to DFWG which is ACE20 interface.
ACE20 has specific class-maps for public DNS use and loadbalance policy-map which forwards all other traffic (excluding DNS) to WSA.
HTTP traffic works fine, HTTPS traffic fails. The HTTPS proxy service uses a local self-signed certificate for initial decryption of the session. The browser and WSA negotiates to use TLSv1 then the error below is shown.
Fails
57666018.658 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54930 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
1357666018.760 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54931 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
1357666018.799 0 192.168.244.1 TCP_DENIED_SSL/403 0 GET https://post.packetconsulting.com:443/owa - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 1 cs-auth-group= - c-port= 54931 cs-bytes= 598 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; InfoPath.2; Tablet PC 2.0; MS-RTC LM 8)" cs-referer= - cs-cookie= -
I have seen this error posted before but no resolution. I'm sure this is a config problem, but cannot figure why or where!
Any ideas, thoughts or help would be great...
Cheers
Hi axa,
This is an access policy blocking the SSL traffic based on the TCP_DENIED_SSL / 403. Also I would suspect that you do not have HTTPS proxy enabled which would be required since your not using port 80 for 443 traffic. I would recommend opening a ticket with the WSA Content Security Team.
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator
Message was edited by: Erik Kaiser
Similar Messages
-
Is it possible to redirect https traffic to http in CSM?
Hello,
I have a requirement to redirect https traffic to http. Is it possible to do that in the CSM?
In the CSM documentation all redirect examples/config etc refer only to http traffic so I am wondering if the other way around is supported as well.
BTW I have already tried it on the CSM and it is not working. Everytime I try to reach the https url I get "ERROR_INTERNET_SECURITY_CHANNEL_ERROR" on http watch.
Thanks for any help offered.
MurtazaI don't have a config in hands for this.
I have done it before and know this is feasible.
The redirect is here :
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00802877f6.shtml
Just change the vip to be only accessible by the SSLM.
Create the appropriate redirect vserver.
On the SSLM, send the decrypted traffic to the vip address and port.
Just as if the Vip was a server.
Gilles. -
Redirecting all HTTP traffic to HTTPS that will reverse proxy specific URI
-- Requirement --
I have a Sun web server 6.1 SP4 that sits in a DMZ that must securely reverse proxy traffic to an internal application server listening on 443.
The web server instance has two listen sockets, 80 and 443.
The web server instance must accept traffic on port 80 but re-direct it to 443 so all subsequent traffic with the client happens over HTTPS.
HTTPS traffic for "www.mydomain.com/myapp/" must be reverse proxied to the internal app server, "https://myapp.mydomain.com/myapp/".
-- Current set-up --
The server reverse proxies both HTTP and HTTPS traffic with the indicated URI.
How can I constrain the reverse proxying to HTTPS traffic?
Thanks for your help,
JezThanks Chris that worked perfectly.
Aside
Before your solution I had (unsuccessfully) tried the following obj.conf directive
<Client security="false">
NameTrans fn="redirect" from="/" url-prefix="https://www.mydomain.com/"
</Client>However, it didn't work - is it not possible to use the <Client security="false"> in this manner? -
CSG C5(14) alters HTTP traffic if http accounting is enabled
Hi guys,
I'm facing an issue with some mobile handsets that connect to the internet to gather information from the vendor website (http tcp 80).
I have CSG 5.5(14) configured in this way:
ip csg policy HTTP
accounting type http customer-string INTERNET
ip csg content WWW
ip any tcp 80
replicate
vlan CLIENTVLAN
policy HTTP
inservice
Mobile handsets receive an error while trying to connect.
A trace (attached) shows an HTTP 502 (Bad Gateway).
If I create a more specific content without policy (and consequently without http accounting) like the following, everything works:
ip csg content MYCONTENT
ip 84.0.0.0 255.0.0.0 tcp 80
replicate
vlan CLIENTVLAN
inservice
My problem is that the DNS resolves that hostname each time with different IP address in different subnets, so I don't have a safe way to map the webserver to this new content.
My questions:
Is there any method to safely map that destination without involving an huge amount of IP address that should match WWW content instead?
Anyone knows what is the behavior of http accounting in CSG?
Thanks in advance.
Regards,
RiccardoEach HTTP method must be initiated by the same endpoint that initiated the TCP connection.The CSG supports IP fragmentation for HTTP; Internet Message Application Protocol, version 4 (IMAP4); Post Office Protocol version 3 (POP3); Simple Mail Transfer Protocol (SMTP); Wireless Application Protocol (WAP) 2.0; and WAP 1.x, regardless of the order in which the flows arrive.Refer http://cisco.com/en/US/products/sw/wirelssw/ps779/products_configuration_guide_chapter09186a00806ab79a.html
-
Redirect HTTPS traffic to HTTP in Tomcat
Hi,
We are running SAP BI Platform 4.0 SP2 Patch 7, which runs on top of Tomcat 6.
We have succesfully configured our iPads to connect to our SAP BusinessObjects server using HTTPS in internet. We have an application proxy that handles HTTPS and sends plain HTTP to the SAP BusinessObjects server.
The problem is that same connection do not work when users are accessing our intranet, because the SAP BusinessObjects server only accepts HTTP requests in port 8080.
I have seen that Tomcat allows automatic redirections from HTTP to HTTPS ( using redirecPort parameter in HTTP connector definition ).
But is it possible the opposite, to switch automatically HTTPS to HTTP ?
Regards,
JoanHi,
At last we have activated HTTPS support in Tomcat. The idea was to avoid HTTPS in BOBJ servers to save CPU usage but after some tests we can afford it.
So no redirections are needed and the question is solved.
Thanks,
Joan -
Cisco ASA rely HTTP port to HTTPS without using CNAME DNS-record
Hi all,
could anyone tell me Is it possible to configure ASA so when customer rely http://domain.com Cisco ASA rely to https://domain.com (it's similar with CName function of domain record).
P.S. resource of domain.com located behind ASA and DNS A-record rely on public ASA ip address
Thank you.What version ASA are you running?
If the server has both static public and private IPs you could use NAT to redirect HTTP traffic to HTTPS based on IP.
object network PUBLIC_IP
host 1.1.1.1
object network REAL_IP
host 2.2.2.2
nat (inside,outside) static PUBLIC_IP http https
Keep in mind that you will also need a NAT statement that maintains https to the server.
Please remember to select a correct answer and rate helpful posts -
WSA access logging for HTTPS traffic
Hi,
We have a WSA s370 with AsyncOS version 7.5.1-079 and it is configured as a transparent proxy.
HTTPS proxy is enabled and all the URL categories set to pass through ( no decrytpting or monitoring ).
Seems like the WSA does not generate logs for HTTPS transactions.
I would like to know whether this is the expected behaviour.
Is there any way that I can monitor HTTPS transactions without decrypting ?
Thanks,
Wipula.In addition to what Ken mentioned, the only way you can monitor HTTPS traffic without decrypting it will be done so using the IP address.
In the access logs, you will see the following transaction when accessing an HTTPS site (google for example):
TCP_CONNECT 74.125.101.50
It will only report URLs once decrypted. At that point, it is just HTTP.
-Vance -
Transparent wsa and https traffic
folks
i've deploying a S300V in transparent mode and using wccp
i have a single policy allowing http and https
http works fine but https doesn't
i can see both sets of requests go out through my outer firewalls but the https handshake doesn't get past the client hello
the VM is being used on a guest wifi network so clients won't be authenticated, won't have a common root certificate and i don't want to decrypt traffic
tac are telling me i need to enable the https proxy but i can't as clients won't have the root certificate required
do i need to use https proxy?
thanks to anyone taking the time to replyKen,
If I dont to decrypt HTTPS but still want the traffic to be inspected for URL and web reputation, do I need to upload a root certificate still? I would have assume not as I do not want to decrypt HTTPS but the GUI doesn't allow me to enal HTTPS Proxy without uploading a certificate; basically I cannot "Enable HTTPS Proxy" and submit without a cert.
Basically what I just want to do is just pass through the HTTPS traffic to be check against the Access policies that the HTTP is being checked against.
Is this viable? If so can you let me know how I can achieve the above?
Thanks -
Redirect / Block non https traffic
I have a quick question. Today I setup teaming 2.0 on SLES10.
After customizing the SuSE firewall per the instructions everything is perfect. I then cut off non-secure port 80 traffic. Looked OK. I found that the email that teaming sends out is http://server, since I killed http traffic it's now broken. I tried changing the firewall rule to FW_REDIRECT="0/0,10.0.100.100,tcp,80,8443 to see if it would just redirect the port 80 traffic to 8443 on the server - but that did not work. Is their a place I can simply change the email to link to https://server?
Any other thoughts?
Cool product by the way!
Tha
DennisDennis,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
Hi, Im student who studying MPF atm, and I just wodnering about the parameters(request args regex, request body length etc..) that http provides, I was looking up and went through some resources and information on cisco website, but it was diffcult to understand all of theses parametes,
how does ASA matches up with http traffic ?? is this parameters are located in HTML ??? (body java activ-x) , where does it located, ??
thanks in advance, !!!Hello Terry,
First thing to understand when we are talking about inspection on layer 5 to 7 ( In this case http) is that in order to work the client got to be on one ASA'Sinterface and the server needs to be on another one, this to allow the ASA to investigate the http session.
Now you are asking about how the ASA is going to match that traffic, well with the policy map type inspect we will decide what to match (the http request, response,etc) , we can use different things in order to do it, just as an example we can create a regular expressions that matches www.cisco.com (\.cisco\.com) and then let the ASA know that matches the header of the http packet using that particular rule and then we will be able to block cisco.com as an example.
You can also match the URI, etc etc and then apply the rigth http inspection paramater.
Please rate helpful posts.
Regards,
Julio -
MPF ASA for Web Filtering. Https traffic
SOURCE: https://supportforums.cisco.com/docs/DOC-1268#Allow_specific_urls
Hi all,
I have the following configuration in my ASA based on guidelines from the above source to allow only certain sites in my home and block all requests to http and https sites. However,requests to HTTP sites are being blocked but not to HTTPS. Only one host in the network can access all sites
access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq www
access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq https
access-list WEBFILTER extended permit tcp any any eq www
access-list WEBFILTER extended permit tcp any any eq https
regex allowex1 “website1\.com”
regex allowex2 “website2\.com”
class-map type inspect http match-all allow-url-class
match not request header host regex allowex1
match not request header host regex allowex2
class-map allow-user-class
match access-list WEBFILTER
policy-map type inspect http allow-url-policy
parameters
class allow-url-class
drop-connection
policy-map allow-user-url-policy
class allow-user-class
inspect http allow-url-policy
service-policy allow-user-url-policy interface inside
HOW can the HTTPS traffic be also blocked in the above configuration? What am I missing?
Thanks in advance for your help
JuanIs it even possible for for MPF ASA to inspect and filter HTTPS traffic? I do not even see it in the options:
(config)# class-map type inspect ?
configure mode commands/options:
dns Configure a class-map of type DNS
ftp Configure a class-map of type FTP
h323 Configure a class-map of type H323
http Configure a class-map of type HTTP
im Configure a class-map of type IM
sip Configure a class-map of type SIP -
Hello,
I'm running Server 3.1.2 on OSX10.9, I was wondering if there was a way to send all traffic to http versions of webpages and not allow https?
I'm working at a school and our current content filter only works with http and doesn't filter https.
Sorry if I'm not clear, I'm new at this whole sysadmin thing.Hi,
You can do that with .htaccess or php
Here a link https://sites.google.com/site/onlyvalidation/page/301-redirect-https-to-http-on- apache-server
A+ -
Encapsulate ODBC traffice over HTTP???
Does anyone know if it's possible to have an external client (in the internet) make an ODBC connection to a database that is behind a firewall which only allows HTTP traffic to pass through? I guess the question is, Is is possible to encapsulate ODBC traffic over the HTTP protocol so that it can pass through the firewall?
Thanks in advance,
John SebastianProbably not easily, no.
If the firewall allows arbitrary traffic on port 80, you could configure the Oracle database to accept connections on that port and configure the tnsnames.ora on the client machine to use port 80. This wouldn't go through HTTP, so if the firewall is actually analyzing the traffic, you'd be out of luck, but it would work if the port is wide open. Of course, it is a terrible idea from a security perspective-- opening up databases to connections over the internet is a recipe for pain and suffering.
It is certainly possible to write an ODBC to HTTP proxy that converts an ODBC call into some sort of web service call and then write an HTTP to ODBC proxy that lives inside the firewall that translates the HTTP calls back into ODBC calls, but that is likely to be very slow. And a lot of code-- I'm not aware of any commercial utilities that do that sort of thing.
Generally, the proper way to do something like this is to use Oracle Connection Manager (or something similar that is baked in to certain firewall products) to proxy the Oracle connection through the firewall. But that requires changing the firewall setup and/or installing additional software.
Justin -
Force http traffic to specific interface
Just setup a 2801 router. We have a Serial interface card on it connected to a T1 and eth1 connected to DSL. We want to force web traffic (http, https, ftp) to use the DSL connection. I tried a simple access-list to allow http to the DSL and deny to the T1, however it didn't seem to work. Then I noticed that in the SDM it has "default" rultes that always enable http. Do I need to disable the http server to get this access list to work or is there an easier way to force web traffic to a specific interface?
Thanks in advance.I setup the route-map and access-list and applied it to FE 0/1 (DSL connection), however it still appears nothing is going through that interface. When I monitor it in the SDM, it shows 0% bandwidth usage.
Just to double check I unplugged the DSL to see if web traffic stopped, but it was still going, I assume through the T1 at S 0/2/0.
FE 0/0 goes to our fw, then to lan
FE 0/1 goes to DSL
S 0/2/0 goes to T1
Here is my config:
router#show run
Building configuration...
Current configuration : 4506 bytes
! Last configuration change at 10:29:45 MDT Fri Aug 4 2006 by admin
! NVRAM config last updated at 15:17:31 MDT Thu Aug 3 2006 by admin
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
boot-start-marker
boot system flash c2801-ipbasek9-mz.124-8.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$EWDt$pvWzeNhilneb/EUJosxlv0
no aaa new-model
resource policy
clock timezone MDT -7
clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
ip cef
ip tcp synwait-time 10
no ip bootp server
ip name-server 198.60.22.2
ip name-server 198.60.22.22
username admin privilege 15 secret 5 $1$TF47$aa8RLf18isZxIwjOKfdmZ.
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 199.104.124.210 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
description $FW_OUTSIDE$$ETH-LAN$
ip address 192.168.2.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip policy route-map toDSL
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1/0
interface FastEthernet0/1/1
interface FastEthernet0/1/2
interface FastEthernet0/1/3
interface Serial0/2/0
ip address 204.228.133.46 255.255.255.252
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip route-cache flow
ip route 0.0.0.0 0.0.0.0 204.228.133.45
ip route 192.168.2.0 255.255.255.0 192.168.2.1
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
logging trap debugging
access-list 111 permit tcp any any eq www
no cdp run
route-map toDSL permit 1
match ip address 111
set ip next-hop 192.168.2.1
control-plane
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
exec-timeout 30 0
privilege level 15
login local
transport input ssh
transport output ssh
line vty 5 15
access-class 102 in
privilege level 15
login local
transport input ssh
scheduler allocate 20000 1000
ntp clock-period 17178101
ntp update-calendar
ntp server 198.60.22.240 source Serial0/2/0
end -
SG300 Redirect HTTP Traffic to Proxy
Dear Cisco Community,
We have the following setup
1 x SG300 Switch in Layer 3 Mode
VLAN 100 (Management VLAN)
VLAN 200 (Data VLAN for Internet Users)
The SG300 has an IP4 Interface in each VLAN:
100: 10.1.1.254 / 24
200: 10.1.2.254 / 24
The internet gateway (Zyxel USG-100) is located in VLAN 100.
In order to restrict the web browsing acitivites, we're in the process of implementing a Proxy server (GFI Webmonitor). Is it possible, to redirect all HTTP and HTTPS traffic which arrives at the SG300's VLAN200 IP interface to the proxy server? I was thinking of a static route, but then this would apply to all traffic. Another option would be to block port 80/443 traffic using an ACL I suppose=
Any input will be highly appreciated, thank you!
Kind regards,
RomeoHi Mohamad,
I've seen this done in slightly different ways. One way is at the very bottom of the following examples from the Cisco.com CSM-S config guide:
CSM-S Configuration Examples
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/cfgxpls.html
Another way is like this:
serverfarm REDIRECT
nat server
no nat client
redirect-vserver REDIRECT
webhost relocation https://www.example.com/
inservice
serverfarm SSL_DC
no nat server
no nat client
real 192.168.78.36 local
inservice
vserver VSERVER_80
virtual 192.168.78.35 tcp 80
serverfarm REDIRECT
persistent rebalance
inservice
vserver VSERVER_443
virtual 192.168.78.35 tcp 443
serverfarm SSL_DC
persistent rebalance
inservice
Hope this helps get you started.
Sean
Maybe you are looking for
-
Boa tarde. Apliquei a nota 619330 - Document date instead of posting date in GR para o sistema pegar a data do documento para verificar a taxa de câmbio. Alterei também na transação OB22 o campo "Tipo da Data de Conversão" para 1 - Data do documento,
-
I had an old mac book from 2005.... i now have a powerbook g4.... i had archived several mailboxes from the old machine / when i try to open them on the new machine it wont let me.... any help would be appreciated - i need to search the archived mail
-
How to Retrieve Totals in APO DP Planning Book
Hi All I want to see the totals coulmns in planning book data view. I know I can check the totals from settings> row totals But this row totals disappears as soon as I log out of the planning book. Is there any way this row totals is permanently atta
-
How can I view resolution in DPI and not PPI?
Hi all, Under Bridge>view content as list, I got a column of Resolution but the mesurement are ppi and not dpi and i need to see the dpi. Anyone knows where can i set it? thanks.. shlomit
-
How to Link Sales Order for Non Purchase items to Purchase Order
Hi, I am using SAP 2007A SP01 PL05. I am creating a Sales Order for Non Purchase Items where i have 3 companies involved. 1. Owner of the Product 2. Transport Agent 3. Customer Owner Sells to the Customer non Purchase Items manufactured internally. O