06-16-2011 12:36 PM
Hi.
I'm trying to put a weather widget on our intranet site and for people in our "Restricted Internet" group we have a URL category list called "Allowed Domains". Basically I put the domain in .accuweather.com and I still cannot get this widget to load for a test user in the ldap group "Restricted Internet".
So the next step I did was go to Web Tracking and look up the user name, website and blocked for the transaction type. For some reason there are two results which contradict each other.
In the Disposition column it says Block - AVC, however in the Website column it correctly shows URL CATEGORY: Allowed Domains. This is a contradiction because if it is an "allowed domain" it should not be blocked. Any idea why this site would possibly be blocked? I did have the weather.com widget on our intranet site and that worked fine, however the accuweather widget shows a little more information.
Here is a clip from the Website column in Web Tracking:
| |||
CONTENT TYPE: application/x-shockwave-flash | URL CATEGORY: Allowed Domains | ||
DESTINATION IP: 207.242.93.89 | |||
DETAILS: Restricted_Internet "Access". WBRS: 5.3. | |||
RELATED TRANSACTIONS |
CONTENT TYPE: application/x-shockwave-flash | URL CATEGORY: Allowed Domains |
DESTINATION IP: 207.242.93.89 | |
DETAILS: Restricted_Internet "Access". WBRS: 5.3. |
06-16-2011 12:53 PM
Some piece of it is getting categorized by the AVC engine (dynamically based on content). Are you blocking flash video?
Use grep on your WSA to find out which pieces are getting categorized improperly, then go to CCO, and have a category assigned.
Here’s how to use Grep: (I grep for the IP of the machine I’m testing with.
http://ironport.custhelp.com/cgi-bin/ironport.cfg/php/enduser/std_adp.php?p_faqid=1013&p_created=1202506177&p_sid=*wqDvGwk&p_accessibility=0&p_redirect=0&p_srch=1&p_lva=772&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9NDIsNDImcF9wcm9kcz0wJnBfY2F0cz0wJnBfcHY9JnBfY3Y9JnBfc2VhcmNoX3R5cGU9YW5zd2Vycy5zZWFyY2hfbmwmcF9wYWdlPTEmcF9zZWFyY2hfdGV4dD1ncmVw&p_li=cF91c2VyaWQ9MXJvblAwcnQmcF9wYXNzd2Q9Zm8wQmE1&p_topview=1
Here’s what your AVC info is set for: https://securityhub.cisco.com/web/application_visibility_control
Here’s the category lookup and submit tool: https://securityhub.cisco.com/web/submited_urls
06-16-2011 01:13 PM
Good call on the Flash Video.
I SSH to the Ironport and played around with grep. Found this, which looks to be flash video. Oddly I didn't even think of it as flash video, as myself (in the very unrestricted IT group) can see the weather widget and there's obviously no video. However one of the pages calls an swf from another server... it must be the way they dynamically draw the sun or clouds in the forcast.
test@Windows
" DIRECT/netwx.accuweather.com application/x-shock wave-flash BLOCK_AVC_11-Restricted_Internet-Authenticated_Users-NONE-NONE-NONE-D efaultGroup
1308254622.019 307 10.1.3.126 TCP_DENIED/403 5344 GET
om/netWx-V212.swf?zipcode=19464&customtheme=&theme=blue&metric=0&target=_self&la ng=eng&url=&video=&category=&logo=1&tStyle=whteYell&partner=netweather&myspace=0 "DIAMONDCU\test@Windows" DIRECT/netwx.accuweather.com application/x-shock wave-flash BLOCK_AVC_11-Restricted_Internet-Authenticated_Users-NONE-NONE-NONE-D efaultGroup
06-16-2011 01:29 PM
It was flash video AND Media, so in Global Policy for applications (because thats where the default restricted user falls back to) I changed them to monitor and it now works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide