11-27-2013 02:57 AM
Hello
I have just implemented an Ironport WSA at a customer site. It works as expected except for one thing: dropbox clients say that they "cannot establish a secure connection" and wont connect/sync.
The clients are behind a Cisco ASA which WCCP redirects outbound web-traffic (both http and https) to the WSA on inside. The WSA does https decryption and all client trusts the root cert that the WSA uses.
Browsing to https sites in general works fine, and browsing to www.dropbox.com also works without any problem.
Any idea on
11-27-2013 11:22 AM
Did you already check the access logs in GUI or grep the logs in real time? How about a capture from the WSA?
12-01-2013 08:53 PM
What platform are the clients using? Are these ipads or windows OS also are they using ie or ff to access the dropbox site?
Sent from Cisco Technical Support Android App
12-02-2013 06:02 AM
The clients trusts the WSA but that doesn't mean that Dropbox trusts the WSA. It would depend on what trust store the dropbox application uses whether the application trusts the certificate or not. Similar to Firefox having it's own trust store that is independant of the operating systems that I.E. uses. I don't have an answer at this time as I haven't investigated the problem but this might give you some place to look.
02-18-2014 12:21 PM
I've set the category Online Storage and backup to Pass Through in the decryption policy. Just Works fine.
02-19-2014 06:24 AM
If you do not wish to allow the entire Online Storage category then you can follow these steps to allow dropbox;
Dropbox desktop application fails to connect to dropbox.com when traffic is passing through the WSA. This is applicable to both explicit and transparent
Dropbox is a free storage service that lets you bring your photos, docs, and videos anywhere and share them.
1. Grep the access logs on the WSA to obtain the IP address of the Dropbox server the network is connecting to dropbox.com.
2. Lookup the subnet for Dropbox.com by using the following URL: https://www.arin.net
You will need to register to the website in order to look up the IP address. Once you have registered and logged in, paste the IP address from the access logs in Step 1 into the search field labeled SEARCH WHOISRWS. This will bring up the CIDR(subnet) which belongs to dropbox. Currently the defined CIDR is 199.47.216.0/22.
3. Create a custom URL category and add the IP subnet, dropbox.com, .dropbox.com to the custom url category. Log into your WSA (GUI)
4. Associate the Custom URL category thus created with a new or an existing Identity that has authentication turned off.
5. Associate the above Identity in step 4 with a new or existing Access policy and set the custom URL category for Drop box to "Allow".
Hope this helps.
Best Regards,
Michael Hautekeete
Customer Support Engineer
Cisco Content Security - Web Security Appliance
http://www.cisco.com/en/US/products/ps11169/serv_group_home.html
https://supportforums.cisco.com/community/netpro/security/web
https://supportforums.cisco.com/community/feeds?community=2091
02-19-2014 06:26 AM
This article mentions the allow for HTTP, you will also need to add the custom URL category to your decryption policy and set it to pass-through to allow the HTTPS connections to dropbox.com
Best Regards,
Michael Hautekeete
Customer Support Engineer
Cisco Content Security - Web Security Appliance
http://www.cisco.com/en/US/products/ps11169/serv_group_home.html
https://supportforums.cisco.com/community/netpro/security/web
https://supportforums.cisco.com/community/feeds?community=2091
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide