cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2566
Views
0
Helpful
9
Replies

Allow a website directory?

grant.wise
Level 1
Level 1

I just want to allow a specific website directory. For example, sites.google.com/site/jacksoncountyboe

It blocks sites.google.com because of web hosting, which I want to remain blocked. I want sites.google.com blocked except for a few specific sites, as provided in the example.  I do not want to blanket allow sites.google.com.  Websense allowed me to do this, does Cisco?

1 Accepted Solution

Accepted Solutions

When it comes to the transparent environments you will need to decrypt the traffic. Infact you will need to decrypt all of google traffic, using ".google.com" and "google.com" as the site for the decryption.  The reason you have to decrypt all of google is that they use a wildcard certificate for all there domains. This wild card certificate contains "*.google.com" in the common name. Since we use the common name to decide whether we want to decrypt or not, we have to decrypt all of google.

Once you decrypt the traffic you can now look into the traffic and see what is being requested. From there your access policies will make decisions with the https traffic just like it is http.

Christian Rahl

View solution in original post

9 Replies 9

Chris Illsley
Level 3
Level 3

You need a regex something like below, Custom URL Category -> Advanced: Regular Expressions:

sites\.google\.com/site/jacksoncountyboe

Thanks

Chris

Thanks for the reply. Unfortunately it still does not work. The Jackson County BOE website redirects to an HTTPS site at https://sites.google.com/site/jacksoncountyboe 

The URL transaction is blocked because it is in the category web hosting.

The ironport refers to the transaction as "tunnel://sites.google.com:443/"

Any thoughts?

Hi Grant,

Once you have added your regex to the custom URL category meant to allow the traffic you will want to grep for the access logs to determine if the requests are being applied to the correct access policy which contains the custom URL category with the regex. Also you will want to be able to read the output of the grep. You may learn how to read the access logs by logging into the GUI of the WSA -> Support and Help -> Online Help -> Click on the Search Tab -> type access logs should be page 72. . This will provide and example of the access logs and how to read them from left to right. Your going to want to focus on the access policy position in the grep out put. This will tell you which access policy the request is being applied to and if it is what you expect. Also focus on the HTTP code and HTTP transaction result code in the grep output. It should be a 200 not a TCP_Denied/403. If you see a 403 based on the request made to your URL then you have an access policy that is blocking it. If not then a packet capture from the WSA will be needed when testing the URL.

To grep the access logs for an entry, SSH into the WSA and run the following command from the CLI:

1. Grep

2. Enter the number of the log you wish to grep.

[]> 1

3. Enter the regular expression to grep.

[]> IP of the PC that the issue is being re produced on.

4. Do you want this search to be case insensitive? [Y]>

5. Do you want to search for non-matching lines? [N]>

6. Do you want to tail the logs? [N]> Yes

7. Do you want to paginate the output? [N]>

Erik Kaiser

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator

Still waiting on an answer Cisco...

Here is what I get:

1341924215.640 2 10.10.2.182 TCP_DENIED/403 2113 CONNECT tunnel://sites.google.com:443/ "TOSNET\gwise@Tos.local" NONE/- - BLOCK_WEBCAT_11-DefaultGroup-DefaultGroup-NONE-NONE-NONE-NONE -

So it is a policy problem… But how do I add this to be allowed without adding the entire “Sites” subdomain of Google.com?

Christian Rahl
Level 1
Level 1

Few quick questions.

1. How is your environment setup? Are you explicit to your proxy or transparent.  It looks like you are explicit.

2. If you are transparent are you decrypting traffic for https?

Christian Rahl

Customer Support Engineer                      

Cisco IronPort - Web Security Appliances

Cisco Technical Assistance Center RTP

United States Ironport: 1-877-641-IRON (4766)

We are configured for transparent, but running explicit.

We are not decrypting traffic yet.

When it comes to the transparent environments you will need to decrypt the traffic. Infact you will need to decrypt all of google traffic, using ".google.com" and "google.com" as the site for the decryption.  The reason you have to decrypt all of google is that they use a wildcard certificate for all there domains. This wild card certificate contains "*.google.com" in the common name. Since we use the common name to decide whether we want to decrypt or not, we have to decrypt all of google.

Once you decrypt the traffic you can now look into the traffic and see what is being requested. From there your access policies will make decisions with the https traffic just like it is http.

Christian Rahl

That was it. Thanks!

On a side note, this all seems a little rediculous to me to have to go through this to allow one website, but thats how things are I guess.