https://community.cisco.com/t5/web-security/https-and-transparent-mode/m-p/2421535#M4388 <P>Hello support,</P><P></P><P>should I enable HTTPS proxy if I am going to use transparent mode for WSA deplyoment ? </P> Wed, 04 Dec 2013 18:51:56 GMT davidbart8 2013-12-04T18:51:56Z https://community.cisco.com/t5/web-security/https-and-transparent-mode/m-p/2421535#M4388 <P>Hello support,</P><P></P><P>should I enable HTTPS proxy if I am going to use transparent mode for WSA deplyoment ? </P> Wed, 04 Dec 2013 18:51:56 GMT https://community.cisco.com/t5/web-security/https-and-transparent-mode/m-p/2421535#M4388 davidbart8 2013-12-04T18:51:56Z https://community.cisco.com/t5/web-security/https-and-transparent-mode/m-p/2421536#M4389 <HTML><HEAD></HEAD><BODY><P>If you are planning to do decryption then you MUST enable the HTTPS proxy. If you do not plan to do decryption then you don't have to enable it but do not redirect port 443 to the WSA if the HTTPS proxy is not enabled.</P></BODY></HTML> Fri, 06 Dec 2013 17:18:57 GMT https://community.cisco.com/t5/web-security/https-and-transparent-mode/m-p/2421536#M4389 Tom Foucha 2013-12-06T17:18:57Z https://community.cisco.com/t5/web-security/https-and-transparent-mode/m-p/2421537#M4390 <HTML><HEAD></HEAD><BODY><P>Hello Tommy,</P><P></P><P>Thank you for your response ,<SPAN style="font-size: 10pt;">would you please describe the side effects of redirecting port 443 to WSA if https is not enabled ? we are planning to set the WSA in transparent mode as I have read in the user guide that the transparent can accept both explicitly forwarded and transparent requests. My concern is that i have some users working on Citrix server with cookie-based surrogate and some other fat clients. The guide stated that there are problems in using cookie-based and transparent,appreciate your help as I am not much that familiar with WSA </SPAN></P><P></P><P>How can I configure my policies so it works for both fat clients and Citrix server users??</P><P></P><P><SPAN style="font-size: 10pt;">Regards,</SPAN></P></BODY></HTML> Fri, 06 Dec 2013 17:43:42 GMT https://community.cisco.com/t5/web-security/https-and-transparent-mode/m-p/2421537#M4390 davidbart8 2013-12-06T17:43:42Z https://community.cisco.com/t5/web-security/https-and-transparent-mode/m-p/2421538#M4391 <HTML><HEAD></HEAD><BODY><P>As with any TCP device it has to listen on a port for connections to accept the socket. If you do not enable HTTPS proxy then we do not listen on port 443 for connections so any connection redirected to the proxy on port 443 will simply fail when using transparent mode. In explicit mode the browser is told to send HTTPS traffic to the proxy on the proxy port 80, 3128, 8080 etc. so the proxy is listening on that specific port for any traffic. The same would happen to HTTP traffic if you redirect traffic to the proxy on port 9999 but didn't configure the proxy to accept traffic on port 9999.</P><P></P><P>Depending on the version of WSA code you are running you can set the surrogate type in the Access Policy. Not being familair with your network I would say if you have Citrix servers then create an identity for the servers based on IP address and authentication and set the surrogate to session based cookies.</P></BODY></HTML> Fri, 06 Dec 2013 18:02:49 GMT https://community.cisco.com/t5/web-security/https-and-transparent-mode/m-p/2421538#M4391 Tom Foucha 2013-12-06T18:02:49Z https://community.cisco.com/t5/web-security/https-and-transparent-mode/m-p/2421539#M4392 <HTML><HEAD></HEAD><BODY><P>Thank you so much for your explanation Tommy and making me aware of this. much thanks for support </P></BODY></HTML> Fri, 06 Dec 2013 18:40:40 GMT https://community.cisco.com/t5/web-security/https-and-transparent-mode/m-p/2421539#M4392 davidbart8 2013-12-06T18:40:40Z