Showing results for 
Search instead for 
Did you mean: 

Dropbox-client behind WSA in WCCP-mode?


I have just implemented an Ironport WSA at a customer site. It works as expected except for one thing: dropbox clients say that they "cannot establish a secure connection" and wont connect/sync.

The clients are behind a Cisco ASA which WCCP redirects outbound web-traffic (both http and https) to the WSA on inside. The WSA does https decryption and all client trusts the root cert that the WSA uses.

Browsing to https sites in general works fine, and browsing to also works without any problem.

Any idea on

Lee Valentin

Did you already check the access logs in GUI or grep the logs in real time? How about a capture from the WSA?

Tarik Admani

What platform are the clients using? Are these ipads or windows OS also are they using ie or ff to access the dropbox site?

Sent from Cisco Technical Support Android App

Tom Foucha
Cisco Employee

The clients trusts the WSA but that doesn't mean that Dropbox trusts the WSA. It would depend on what trust store the dropbox application uses whether the application trusts the certificate or not. Similar to Firefox having it's own trust store that is independant of the operating systems that I.E. uses. I don't have an answer at this time as I haven't investigated the problem but this might give you some place to look.

I've set the category Online Storage and backup to Pass Through in the decryption policy. Just Works fine.

If you do not wish to allow the entire Online Storage category then you can follow these steps to allow dropbox;


Dropbox desktop application fails to connect to when traffic is passing through the WSA. This is applicable to both explicit and transparent


Dropbox is a free storage service that lets you bring your photos, docs, and videos anywhere and share them.

1. Grep the access logs on the WSA to obtain the IP address of the Dropbox server the network is connecting to

2. Lookup the subnet for by using the following URL:

You will need to register to the website in order to look up the IP address. Once you have registered and logged in, paste the IP address from the access logs in Step 1 into the search field labeled SEARCH WHOISRWS. This will bring up the CIDR(subnet) which belongs to dropbox. Currently the defined CIDR is

3. Create a custom URL category and add the IP subnet,, to the custom url category. Log into your WSA (GUI)

  • Go to Web Security Manager -> Custom URL Categories
  • Click Add Custom Category and under Sites mention CIDR for Dropbox,,
  • Submit and Commit the changes

4. Associate the Custom URL category thus created with a new or an existing Identity that has authentication turned off.

5. Associate the above Identity in step 4 with a new or existing Access policy and set the custom URL category for Drop box to "Allow".

Hope this helps.

Best Regards,

Michael Hautekeete

Customer Support Engineer

Cisco Content Security - Web Security Appliance

This article mentions the allow for HTTP, you will also need to add the custom URL category to your decryption policy and set it to pass-through to allow the HTTPS connections to

Best Regards,

Michael Hautekeete

Customer Support Engineer

Cisco Content Security - Web Security Appliance