topic Transparent Proxy in Web Security

Transparent Proxy

ahamadfaiz — Mon, 01 Apr 2013 13:28:07 GMT

Hi All,

Good Day!

We have just changed our IronPort WSA proxy from Explicit Forward to Transparent Mode.

We are using Cisco ASA inside interface to redirect traffic to IronPort WSA. The WSA is also reachable via the inside interface per Cisco requirement.

We are able to browse internet through this proxy from PC as well as from mobile devices. Also most of the mobile applications are working too.

The query is that if we need to do any specific changes in WSA or ASA in order to enable applications using ports other than 80 and 443. For example, there are some online games or whatsapp that needs to access internet on ports other than 80 and 443. Is there any change required for these mobile applications to work through WSA.

Please assist.

WSA Model: S670

Version: 7.1.4-053

Thank you.

Faiz

Transparent Proxy

Luis Silva Benavides — Thu, 30 May 2013 21:27:11 GMT

Hi Faiz,

For sure you don't have to change anything on the ASA. On the WSA I don't think you have to do any change but are you facing any issues?

Thanks!

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

Transparent Proxy

ahamadfaiz — Wed, 05 Jun 2013 10:09:08 GMT

Hi Luis,

Well, it appears that the WSA in transparent mode does not work as good as when it is in explicit forward mode.

We are facing many issues with it.

We were not able to get applications that use ports other than 80 or 443 to work throuhg the transparent proxy. For example, whatsapp uses port 5222 for initial connection and then sends the rest of the traffic over 443. But it never got connected while using transparent proxy.

I had started another discussion as well: https://supportforums.cisco.com/message/3930488#3930488

It would be great if you could assist me with this.

Regards,

Faiz

Transparent Proxy

bechara33 — Wed, 05 Jun 2013 10:13:26 GMT

Are you authenticating mobile dovices?

mobile devices shouldnt be authenticated in order to apps to work,

Transparent Proxy

Ken Stieers — Wed, 05 Jun 2013 15:48:23 GMT

Faiz,

On the Network/Transparent Redirection page, what ports do you have listed? You can only have 8, and I don't think it allows ranges. (its a WCCP limitation)

And on the ASA, what does your redirect acl look like? Here's mine, (don't redirect inbound traffic, don't bounce traffic from WSA on .11 and wsa on .20, redirect all outbound)

Transparent Proxy

ahamadfaiz — Wed, 12 Jun 2013 12:41:36 GMT

Hi All,

I am sorry for the delay.

I am not using authentication for mobile devices.

My WSA transparent proxy configuration is similar to what is there in the screenshot.

However, the ACLs are not exactly the same. I do not have the Deny ACLs in place. I have just allowed the subnet that requires internet access in the WCCP redirect ACL.

I understand why you have the Deny ACLs. But the WCCP redirection works fine for all HTTP and HTTPS traffic. It just doesnt work for sites that work on other ports. So, do I really need to add those deny ACLs as well?

Please assist.

Regards,

Faiz

Transparent Proxy

Mustapha Arakji — Tue, 16 Jul 2013 15:15:06 GMT

Hi,

I removed authenticaiton for one of my smartphones, and it's working know. Also I understand that there's a feature request,

https://supportforums.cisco.com/thread/2208540 but there's no current workaournd?

Regards,

Transparent Proxy

Luis Silva Benavides — Tue, 16 Jul 2013 16:49:53 GMT

Hi,

You can engage the Account Team in order to expedite the resolution of the enhancement request.

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

Transparent Proxy

Mustapha Arakji — Wed, 31 Jul 2013 06:38:02 GMT

Hi,

Now i have my WSA in Explicit mode, SmartPhones are not authenicated, but i can't get the WhatsApp working...

Any ideas? Should I intercept the port 5222 on my WSA.

Regards,