WebVPN Content Rewrite - how can we bypass it?

anthonyhoar · ‎10-04-2012

We are publishing a Bookmark through a WebVPN portal to a server on the inside of our network. That bookmark is made available to users via DAP.

The bookmark works for the most part, however the internal website does not function very well through the content-rewrite engine of the Cisco ASA. Upon further inspection of traffic, packet captures from the egress interface of the ASA vs. packet captures of an internal host who successfully loads the internal website show that the Cisco ASA is rewriting the http header of the get request. There are whole fields of the http header that are missing.

In any case, we just want the ASA to reverse proxy the website to the outside world over a secure tunnel. How can we bypass the content rewrite engine?

And before anyone submits a URL to Cisco's documention on Content rewrite, take a close look it. First it says, "here is how to disable content rewrite for a destination...but further on it says, here is how to make your destination split tunnel. Which is it? Are we disabling content rewrite, or are we split tunneling the traffic, because, split tunneling doesn't help since the web content is still inside our network.

I tried the Proxy Bypass but it does not improve the functionality of the site. So, long story short, pretty frustrated with WebVPN as a Reverse Proxy.

Anyone out there no how to really, truly, bypass the content rewrite?

Marcin Latosiewicz · ‎10-05-2012

Hi there,

To be honest I think smart tunnel is your best option (you can enable it per bookmark).

That being said - what you describe could be a bug, maybe it's worth to open a TAC case so this can be investigated rather then let your frsutration grow?

M.

anthonyhoar · ‎10-05-2012

Yes, I tried enabling Smart Tunnel on the Bookmark however the Smart Tunnel did not rewrite the internal hostname of the URL, therefore, my WebVPN session running on a computer on the internet was making a reference to a website on our internal network. In other words, it did not reverse proxy the hostname of the URL from external URL to internal URL.

I do have a TAC case open too. But I also have another TAC case open related to Content Rewrite issues that has ended in a Bug Track and suggested workarounds, none of which are acceptable at this time.

I have been working in the Proxy/reverse proxy/web filter space for a long time now. Its common to bypass certain features of the product when encountering websites whose funtionality calls for a bypass.

There has to be some way to bypass the content rewrite.

And just for curiousity, what is the purpose of the Content Rewrite engine? Is it a security feature?

Marcin Latosiewicz · ‎10-05-2012

As to content rewriter.

(this is going to be a crude and possibly not 100% accurate explanation, but you seem to know your way around HTTP/SSL etc).

The way ASA clientless VPN is, it's more of a SSL/TLS-protected proxy connection rather than a typical VPN tunnel.

This allows quite a bit of features to ride on top (overlay, smart tunneling, port forwarding, ...) etc but also poses some technical challanges.

It requires that certain information is relayed and certain obfuscated (e.g who's doing name resolution - ASA, what will we do with cookies dependning on their types).

So we've created content rewrite engine to make sure that once it's presented to user browser, it all seems like it's coming from ASA - the proxy. This requires some effort in terms of rewriting content of HTTP stream so it's retains it original functionality.

Thus most of the time you don't want to bypass rewirter - you want to make sure it rewrites it properly.

M.

edit: Is it a security feature? Not really so, but it does protect your client from potentially bad pages, because it will parse them before presenting thjem to users.

anthonyhoar · ‎10-11-2012

It turns out our issue is an MTU issue and not a failure on the part of the Content ReWrite engine.

For my original question however, it seems that Proxy Bypass (with the option of letting it rewrite the hostname of the URL) would be the prefered way to bypass the Content ReWrite Engine.