topic Steps to enable Web Proxy for https in Web Security

Steps to enable Web Proxy for https

slizarraga — Fri, 16 Nov 2012 22:07:06 GMT

I have an S160 WSA and want to enable the Web service for http and https. I am using transparent mode with WCCP.

This is part of the router configuration:

ACL:

access-list 110 permit tcp 192.168.80.0 0.0.7.255 any eq 80

access-list 120 permit tcp 192.168.80.0 0.0.7.255 any eq 443

ip wccp 97 redirect-list 110

ip wccp 98 redirect-list 120

interface FastEthernet0/0.380

ip wccp 97 redirect in

ip wccp 98 redirect in

It is the same configuration for http and for https, but only http traffic is working. When I see the logs in the WSA, it looks like accepted connections for https.

In Security Services -> Web Proxy it is enabled, when I put the port 443, I get an https error in the end user laptop; when I dont, it keeps trying and I get a timeout.

I tried enabling https proxy but some sites (as gmail), wont work with self-generated certificates.

Would you please, list me the steps to enable Proxy services for https.

Thanks!!!

Sergio L.

Steps to enable Web Proxy for https

Chetankumar Phulpagare — Sat, 17 Nov 2012 06:49:23 GMT

Hi Sergio,

When WSA is configured as transparent proxy, it also accepts explitcit connections. So in order to test HTTPS proxy, you can configure client browser to explicitly use WSA as proxy and see if it is working before testing in transparent mode.

When WSA is used as HTTPS proxy, it uses its self-generated certificate to encrypt the connection between itself and the client browser. Since this certificate is not trusted by browser, it'll throw SSL certificate error when connecting via WSA. In order to get rid of this error, download the self-generated certificate from WSA and install it in your browser as a trusted certificate. That should resolve SSL issue with gmail also.

Hope this helps.

Thanks,

Chetan

Steps to enable Web Proxy for https

keithsauer507 — Fri, 14 Dec 2012 21:08:34 GMT

Can you install your own certificate into the WSA? Like one from our own enterprise root ca, then the domain policy to auto enroll workstations with these certificates would make the whole process transparent to the end users.

Just have to figure out non windows based devices (ios / android / linux / mac).

Steps to enable Web Proxy for https

Jeffrey Ness — Fri, 14 Dec 2012 23:03:13 GMT

Yes you can do your own certificate as under a corporate CA (the WSA needs a Subordinate CA certificate because it will be generating the individual site certificates on the fly). The WSA cannot generate the request for the SubCA cert (at least not in 7.1.3). There is a post with steps for creating the SubCA certificate request from a Windows server (2008+) on one of the Microsoft forums.