In most cases pass-thru doesn

dkorell · ‎09-22-2015

Last week I turned on the HTTPS proxy after running HTTP only since early this year. So far I would sum it up as a complete pain in the butt. At the moment by default everyone is setup as pass through except myself who is setup as monitor for everything. For the pass through I have a few websites that will not work until I bypass them, by IP, in the WCCP ACL on the ASA. I added the IPs to the Bypass Proxy list on the WSA and although it logs it's being bypassed the sites still won't work. I have a case opened with Cisco about this but what a pain.

For my monitor setup I have come across several applications (Lync, Outlook, Cisco encryption plug-in) that won't work until I add the sites they are going to to a custom url list and configure the HTTPS policy to use pass through instead of monitor/decrypt if the score is lower than 9. I have a feeling when I add all users to monitor the list is going to be huge and require constant tuning. The access logs aren't showing a user-agent so no help there.

An alternative to making my life much easier is to pass through everything except what I want to block or apply AVC policies to but then I lose the security part of all this and logging of URLs to see what people are wasting my bandwidth on. The whole certificate thing is a pain too. We have a lot of devices that aren't on a domain so I can't easily distribute the certs to them. For those devices I will most likely just have to apply a pass through policy to them. I also found that Firefox doesn't use the Windows cert store so if I want users to continue using Firefox (which I may now ban) I have to go through this big complicated process to automatically import the certs.

Anyone else go through this and is there hope? Any recommendations would also be appreciated.

David Niemann · ‎09-22-2015

It's my understanding that when it comes to HTTPS proxy and decryption these are the normal hurdles that have be overcome to enable the service. Introducing a "man in the middle" shouldn't be an easy thing. I have five WSAs so I had to generate a CA cert on each one and import them into all domain computers via GPOs. Any system that isn't joined to the domain and a Windows box has to manually import the certs as well as any Windows box running Firefox.

mcarlton2000 · ‎10-21-2015

After upgrading to 8.5.2 from a version 7 it has been nothing but a disaster. It has gotten to the point need to bypass most sites. Multiple TAC calls have not helped.

dkorell · ‎10-21-2015

Since my first post and opening cases with Cisco I have found a lot of problems are related to TLS 1.2 and 1.3 and the WSA not supporting them. I have been told an engineering release is available that supports these with a full release sometime this year. Most of the time I've been able to add the sites to a custom URL list and make that list pass through although all categories are already pass through. Something to do with sending a new hello back is why you need the custom setup. I still have a handful of sites that my only choice is to bypass the proxy using ASA ACL entries. Nothing I do in the WSA will fix them including adding to the bypass list.

I'm still on 8.0.8 because Cisco wanted me to try some new code that fixes Akamai bandwidth consumption. Basically range requests at times would consume 100% of our bandwidth until we rebooted both WSAs. Another big sore subject for us.

mcarlton2000 · ‎10-21-2015

In most cases pass-thru doesn't work. I have to put it in the bypass to make it work. Have you been able to get the 8.5.2 Engineering release to address this? I know you are one 8.08 but I was wondering if you could get it.

General HTTPS proxy rant. Curious if I'm alone.