Cisco Ironport WSA S170 - how to configure HTTPS filtering the same as HTTP filtering

semiller · ‎03-04-2015

Is there any way for the WSA to filter HTTPS requests using the same categories and rules that are setup for HTTP? We are setup in transparent redirect mode - WCCP.

Ken Stieers · ‎03-04-2015

The HTTPS config is about what to decrypt/not decrypt/block-because-its-encrypted.

Your filters still apply.

semiller · ‎03-04-2015

The problem we ran into was once everything was configured, the wccp was not passing the username through, which is what our filters are based on what groups people are in. This did not allow the https to filter correctly. Cisco TAC was of no help.

Ken Stieers · ‎03-05-2015

That sounds like an authentication problem, not really WCCP...

What are you using for auth?

semiller · ‎03-05-2015

Take the WCCP out of the equation. Why can't HTTPS be filtered against the exact same rules as HTTP? This seems like an easy thing to do, other appliances from other companies say they can do this with no issues.

alessandro.s · ‎03-05-2015

Hi,

surely it's possible to use same rules for http and https traffic. First thing you have to keep in mind is that to achieve this you need to setup HTTPS decryption correctly. HTTPS proxy act as "man in the middle" for incoming https requests from users, so proxy first needs to decrypt the traffic and after decryption he can apply http rules. To make this happens you have to upload in your Ironport Appliances a certificate trusted by your user's browser, have you already done that?

Also you can decide to not decrypt https traffic but in this case you can just setup a filter based only on URL categories configuring in decryption polices the action "Allow" for URL categories you need to allow and action "Drop" for URL categories you need to block. In this case for a blocked https URL the browser will not display a "blocking" page but just the "cannot display the page" notice

Alexandra Giunta · ‎03-07-2015

Try setting the "Decrypt for authentication" option in the HTTPS Proxy settings.

Ivo Sabev · ‎03-08-2015

One thing to know about WCCP and HTTPS proxy isthat you have to have https proxy enabled when redirecting traffic with WCCP (and reirecting port 443 as well).

Now, speaking of https rules, the things operate like this on WSA:

1. WSA receives https request, recognizes it as such and redirects it (internally) to https proxy process

2. HTTPs proxy process inspects the request like this:

2.1 Because the request contains only ip address but no urls, WSA will make connection to desired destination and determine the CN name of the certificate provided by the destination. You can check CN of destiantion with openssl:

openssl s_client -connect host:port --showcerts

2.2 This CN from now on acts like the url for internal check. Keep that in mind as it may differ from actual url entered into end user browser

2.3 the found CN is now categorized against web categories. Then Decryption policies are run against ip address/CN and action for https transaction is determined

2.4 If action is decrypt, WSA will accept the request, provide its https proxy certificate to the browser and decrypt the packets. All further processing of traffic for decrypted transactions are inspected against Access policies just like normal http traffic

2.5 If action is pass-through, WSA will tunnel the traffic, no access policies evaluation on this traffic will take place