topic CSCul84561 - Ability to bypass Tower for HTTPS sites for Transparent Traffic in Cloud Security

CSCul84561 - Ability to bypass Tower for HTTPS sites for Transparent Traffic

mkirbyii — Sat, 09 Mar 2019 01:36:45 GMT

We use the WSAv in connector mode and transparent (wccp) to get traffic to the towers for hundreds of customers. We have to have two processes to exclude traffic from towers:

1. HTTP - use the Wsa web UI policy (preferred)

2. HTTPS - cli ASA firewall and exclude from wccp policy

Extremely inefficient, high impact and annoying. Would be great if this could be done from the WSA UI.

Cisco-is this planned to be addressed soon? This is a major CON of the WSA connector. And yes I know it works in explicit mode, but I do not want to configure browsers with proxy settings.

One last thing, the bug says 8 open cases and a sev 6, however we have hundreds of customers affected. So you should change this to reflect 100+ open cases, and escalate the severity.

thx

MKirbyII,

Todd Everett — Thu, 04 Feb 2016 16:42:10 GMT

MKirbyII,

Workaround option:

Rather than hard-coding the explicit proxy settings, you can use either a hosted PAC file or a combination of PAC and WPAD files with your internal DNS and DHCP settings to do "dynamic explicit" redirection. We have whitepapers on PAC file creation and deployment.

2nd Workaround option:

Have you tried (I am in process of getting the change order in to test this) creating a CWS bypass list for the entries instead of controlling it at the WSAs? The bypass settings in theory will prevent decryption, reputation, anti-virus, etc. inspection, so it should be a viable option, correct?

I shall try to update everyone after testing.

CWS Team,

Any word on the fix release for this? Should the 9.0.1 code, with its fixes and optimizations for https in general, resolve this?

Thank you