topic Re: White list for live web chat program to work ? in Network Security

White list for live web chat program to work ?

rookeydooks — Mon, 11 Mar 2019 18:37:06 GMT

We have just had a new ASA5510 installed and i'm trying to get a live web chat programe to run.

I have contacted the web chat providers and they have said i need to whitelist:

*.providesupport.com

and

ds.ds2ps.net
ds.ds3ps.co.uk

Is this an easy thing to do ? We have aroudn 30 PC's that will run this ?

Where woudl i go to whitelist ?

Many thanks for your time.

Re: White list for live web chat program to work ?

Federico Coto Fajardo — Wed, 08 Sep 2010 15:23:03 GMT

Hi Ian,

One question...

Are the computers behind the ASA able to access those sites right now?

The reason I ask is because the ASA normally don't whitelist or blacklist, but either permits or denies based on TCP/UDP ports.

So, the internal devices can access the Internet on port 80 or they cannot.

You can configure using the Modular Policy Framework, access to some webpages specifically.

Also I think that if the ASA has a CSC module, then you can whitelist some sites as well.

Is this what you're looking for?

Federico.

Re: White list for live web chat program to work ?

Panos Kampanakis — Wed, 08 Sep 2010 15:32:17 GMT

Please let us know if you have http inspection enabled on the module and if yes provide the "sh run class-m", "sh run policy0-map", "sh run service-policy".

Also check if you have a CSC module in your ASA.

I hope it helps.

Re: White list for live web chat program to work ?

sachinga.hcl — Wed, 08 Sep 2010 15:44:58 GMT

Hi Ian,

Can you get away with whitelisting just the IP addresses and/or websites that your users need to visit? If so, you can probably use just your ASA. Otherwise you're going to want a good web filtering/proxy solution. Check out IronPort, Webwasher, Blue Coat, SurfControl, or even Squid (open source.)

Otherwise can also tie the ASA directly into a filtering product like WebSense, check out the ASA documentation.

When deploying a web filtering product you can either go "inline" or transparent by using WCCP redirection, but I'd suggest against it, since it breaks normal web browser behavior. Better option is to use WPAD (web proxy auto-detect) and have your browsers point-to and/or be explicitly configured to use the proxy.

You can use combination of regex & HTTP inspection with ASA 7.2+ code to achieve this

regex YOUTUBE "youtube\.com"

policy-map type inspect http xyz

parameters

protocol-violation action drop-connection log

match request header host regex YOUTUBE

drop-connection log

policy-map global_policy

class inspection_default

< SNIP..>

inspect http xyz

A good example can be found at

http://www.internetworkpro.org/wiki/ASA_and_PIX_using_http_inspection_to_filter_URLs_and_Hosts_in_HTTP

Another example at

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml

Please rate if you find it informative.

HTH

Sachin Garg