topic Re: WSA ASA WCCP Redirection for HTTPS traffic in Web Security

WSA ASA WCCP Redirection for HTTPS traffic

iwearing — Fri, 15 Mar 2019 12:28:00 GMT

My WSA appliances can service http/https traffic when configured in explicit forward mode (no WSA https proxy enabled).

However I am unable to get Transparent mode https redirection to work unless I enable https proxy mode on the WSA.

An ASA is doing the WCCP redirection for http/https traffic. It appears that http redirection works as expected.

Could somebody explain why http/https work in explicit proxy mode without https proxy enabled on the WSA and is there a way to get https rwccp redirection to work in Transparent mode without https proxy enabled.

thanks

Ian

Re: WSA ASA WCCP Redirection for HTTPS traffic

Territorymine345 — Sun, 17 Mar 2019 23:55:35 GMT

Retro

Re: WSA ASA WCCP Redirection for HTTPS traffic

Josiane de Barros Silva — Mon, 01 Apr 2019 16:33:22 GMT

f you can make logs or images available, it is easier to help you.

Re: WSA ASA WCCP Redirection for HTTPS traffic

Paul Cardelli — Tue, 09 Apr 2019 23:19:42 GMT

So this is the one thing I have struggled with the WSA/ASA WCCP pair for a while. I recently found out that in the ASA WCCP implementation HTTPS DNS traffic is not forwarded to the WSA. Without the DNS information redirected the WSA is unable to filter or see the traffic for HTTPS. So this limitation is actually the ASA, and impacts any ASA WCCP compatible proxy solution.

There may also be a way to change this default ASA behavior.

Re: WSA ASA WCCP Redirection for HTTPS traffic

Ken Stieers — Tue, 09 Apr 2019 23:52:01 GMT

Https dns traffic is still port 53, isnt it? Possibly just add that to the wccp and proxy config?

Re: WSA ASA WCCP Redirection for HTTPS traffic

Paul Cardelli — Wed, 10 Apr 2019 14:43:49 GMT

The following is adapted from deployment information from another cache solution. It begins to explain some of the limitations of Cisco's implementation of WCCP on the ASA's the first one also applies to ISRs. I was not able to find the same information on a Cisco site, but through my own testing and experience these limitations appear to be accurate. Especially for guest networks were the only information you can log/filter on is the DNS. These limitations appear to be by design, likely to allow other ASA features to function properly.

Limitations and Requirements of a WCCP Deployment With an ASA

The only topology that the adaptive security appliance (ASA) supports is when both the client and the cache engine are behind the same interface of the ASA and the cache engine can directly communicate with the client without going through the adaptive security appliance.

Due to the Cisco ASA limitations on redirecting DNS responses, the cache engine is not able to log all HTTPS traffic. The only traffic that can be logged is HTTPS traffic that is being inspected/monitored and the HTTPS URLs that are blocked.