Re: Unable to filter https traffic with router & websense

srikanthmavelikara · ‎05-26-2011

I am having a setup with a 2851 router & websense url filtering server where I need to forward the traffic to websense server for all the internet requests.

The http traffic is getting filtered properly, but the https traffic is not getting filtered.

The two commands I ahev given for http & http are as follows:

ip inspect name test http urlfilter

ip inspect name test https.

Anybody who has done the same or faced the issue, please let me know.

srikanthmavelikara · ‎05-26-2011

Hey cisco folks,

anybody is there who can answer the same..!

brquinn · ‎05-26-2011

IOS firewall urlfilter supports only HTTP. HTTPS is not supported. 

Thanks,
Brendan

srikanthmavelikara · ‎05-26-2011

I am using websense along with cisco 2851 router. The http requests are forwarded to websense & it is allowed or denied according to the filter policies created.

But when I am giving the command "ip inspect name test https" it is not forwarding the https traffic.

If the command for https is taking by the IOS commands, then it should forward the traffic to websense server. wright..?

Bu what is happening is that the https requesting websites are resolved by the router itself.

Any supporting document for the same which can be find from cisco.

srikanthmavelikara · ‎05-27-2011

Hello Brendan,

can u answer my query.?

brquinn · ‎05-27-2011

We generally don't document what is not supported, except in specific cases. The "ip inspect name test https" command does not specifically reference url filtering. All you are doing is enabling the inspection.

Thanks,

Brendan

srikanthmavelikara · ‎05-27-2011

We need to provide the details to end customer regarding the same.

All cisco documents explains about http url filtering only.

So how we can get any proof saying that https traffic is not inspected.?

Any advanced IOS vesion supports the same?

whats the meaning of the command:"ip inspect name test https"?

Any other workaround for forwarding the https traffic to websense appliance?

barry · ‎05-27-2011

The only way I think you'll be able to filter HTTPS traffic is to configure the Websense server as an explicit proxy.

The issue is that the HTTPS stream is encrypted. Unless you terminate the HTTPS stream on a device (as an explicit proxy) it is not going to be able to inspect the traffic.

srikanthmavelikara · ‎05-29-2011

Hello barry,

Using this setup, all the request is coming to the router & the router forwards the traffic to websense url filtering server.

You meant to say that:

1. All the requests should hit the websense url filter server directly before coming to router.

2. And the router cannot forward https requests to the server. wright?

It will be very helpful if you clarify the above points.

srikanthmavelikara · ‎05-29-2011

I am using the below commands for url fitering that forwards the internet traffic to websense server:

ip inspect name test http urlfilter

ip urlfilter max-resp-pak 500

ip urlfilter allow-mode on

ip urlfilter cache 1000

urlfilter urlf-server-log

ip urlfilter server vendor websense x.x.x.x.

This forwards the http traffic to the websense server at location: x.x.x.x

In this case, could you please help me, how can achieve the same for https through explicit proxy.?