topic Re: Listening on different ports in Cisco WSA in Web Security

Listening on different ports in Cisco WSA

galin.gospodinov — Fri, 15 Mar 2024 09:37:55 GMT

Hello community,

We have a little drama with Anydesk. We are using WSA in transparent mode and redirecting all traffic on all port to WSA from PA. The problem is the Anydesk is unable to connect on port 6568. I think, the proxy is listening on port 80 and 443. What about other ports, that application is using ? Can I configure them somewhere in WSA ?

Thank you!

Re: Listening on different ports in Cisco WSA

balaji.bandi — Fri, 15 Mar 2024 09:44:34 GMT

If the Proxy running Transparent and proxy only looking http and https traffic inspection,

have tested any desk with proxy ? is that works in the network where you having issue ?

Also look the WSA Logs see anything blocking ? also if you have any URL Filter that preventing access ?

try to create a bypass rule adding the anydesk related to URL see if that improve connections ?

Re: Listening on different ports in Cisco WSA

galin.gospodinov — Fri, 15 Mar 2024 09:49:13 GMT

The first problem is that Any desk is unable to connect on port 6568. The PA is redirecting traffic on all ports, but will WSA listening on different ports than 80 and 443?

Re: Listening on different ports in Cisco WSA

galin.gospodinov — Fri, 15 Mar 2024 09:59:59 GMT

Also, I see this in logs:

"10495114.949 152 x.x.x.x TCP_MISS/504 0 TCP_CONNECT 37.59.29.33:6568 - NONE/37.59.29.33 - OTHER-NONE-NONE-NONE-NONE-NONE-NONE-NONE <"-",-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"-",-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-,-> - - -
"

Re: Listening on different ports in Cisco WSA

amojarra — Fri, 15 Mar 2024 13:07:19 GMT

Hi @galin.gospodinov

By Default when you are using transparent proxy, WSA is expecting HTTP & HTTPS traffic be on ports 80 and 443,

and if by any chance you have some other HTTP/HTTPS traffic which are not using standard ports ( IE, 8080 ) you need to let WSA know to expect HTTP traffic from those ports.

So, if your WCCP router is forwarding that traffic to WSA, from WSA's configuration you need:

[1] from Network > Transparent Redirection > WCCP Service > add the port number there

[2] From Security Services > HTTPS Proxy you need to define that from port 6568 you are expecting HTTPS traffic

Please be advised above suggestion, is due to this Assumption that AnyDesk traffic is HTTPS.

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Re: Listening on different ports in Cisco WSA

galin.gospodinov — Fri, 15 Mar 2024 13:46:27 GMT

Ok, but if we have different applications (different from WSA supported list). Should I define all ports ?

Re: Listening on different ports in Cisco WSA

Ken Stieers — Fri, 15 Mar 2024 14:14:27 GMT

WSA can only handle 8 ports.
It can only deal with HTTP as an application running on those ports.... so if an app uses port 443 but is talking SMTP, SMB, SNMP, or any other application that isn't HTTP it will break the application.

Re: Listening on different ports in Cisco WSA

galin.gospodinov — Fri, 15 Mar 2024 14:26:27 GMT

I understood, but I`m talking about HTTP and HTTPS ports different than 80 and 443. Lets say Anydesk-using HTTP and HTTPS ports-80,443, 6568. This port 6568 should be define in Web proxy settings. Should I define every port ?

Re: Listening on different ports in Cisco WSA

Ken Stieers — Fri, 15 Mar 2024 14:45:27 GMT

So, keeping in mind the limitation of 8 ports, and that this is security product pointed at the "unknown surfing traffic" more than anything, look at what ports are risky vs. not...
So apps that reach out and get their licenses but no code or updates, don't put them through the WSA.
Browsing on ports that aren't 80 or 443 (you'll sometimes see 8080, 8443, etc.) , put those through the WSA.

Anydesk might be a candidate to put through the WSA... but I suspect that the protocol ISN'T HTTP... so the WSA will break it.

________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

Re: Listening on different ports in Cisco WSA

galin.gospodinov — Wed, 20 Mar 2024 15:11:22 GMT

Thank you for the reply. If we change the design and switch to explicit proxy. How can we have control over applications like - zoom, anydesk and etc ? I try to block them based on Custom URLs, but it`s not working.

Re: Listening on different ports in Cisco WSA

amojarra — Wed, 20 Mar 2024 19:15:46 GMT

Hi @galin.gospodinov

If you are trying to proxy web traffic (HTTP/HTTPS) on none standard ports ( 80,443)
[1] Configure HTTP Connect Ports : GUI > Web Security Manger > Access Policy > Protocols and User Agents

[2] From Security Services > HTTPS Proxy you need to define that from port 6568 you are expecting HTTPS traffic

Regarding Zoom, Kindly check Zoom's user guide :

Zoom network firewall or proxy server settings - Zoom Support

We support https/SSL proxy server via port 443 for Zoom traffic.

Note: This does not apply to the Zoom Phone service.

Zoom automatically detects your proxy settings. In some instances, you may be prompted to enter the proxy username/password.

Note: We recommend allowing zoom.us and *.zoom.us from proxy or SSL inspection.

And for AnyDesk (which I doubt), or other applications , if they are using web traffic (HTTP/HTTPS) meaning that there will be HTTP Get, HTTP response and ... you can use the same steps.

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Re: Listening on different ports in Cisco WSA

galin.gospodinov — Thu, 21 Mar 2024 12:21:04 GMT

Is their some maximum port definition in Security Services > HTTPS Proxy (like in max 8 ports in WCCP) ? Will it be a problem if I define 10-15 ports in HTTPS Proxy ?