HID OmniKey

kjohnson1024 · ‎09-12-2011

Hello,

I am using an HID Omnikey 5321 contactless card reader to authenticate to our Windows workstations. Everything works fine for users not required to pass through the Ironport, but my attempts to bypass the proxy for this authentication keeps failing. The omnikey uses port 80 to talk to the servers and I think it is getting caught in our WCCP ACL and transparent proxy. However, the servers are all internal, I've added the authentication servers to IE trusted sites, added them to the Ironport PAC file, but none of these are working.

Has anyone seen anything like this?

Thanks,

KJ

Ken Stieers · ‎09-12-2011

Have you tried putting the authentication servers in bypass? (Web Security Manager>Bypass Settings) This bascially makes the WSA ignore any traffic to the IPs you put in there... That should at least tell you if the WSA is seeing that traffic.

If that makes it work, but you don't want to use bypass, I'd look at the access log when this process happens.

If its failing because you require authentication, you could set up an identity for user-agent for the HID software or the destination authentication boxes and not require the WSA to have authentication for them.

To look at the access log, make a note of the IP of the workstation you are testing

SSH or Telnet to the WSA.

Type "grep", hit Enter

Enter the number of the log you wish to grep.
[]> 1

Enter the regular expression to grep.
[]>

Do you want this search to be case insensitive? [Y]> y

Do you want to search for non-matching lines? [N]> n

Do you want to tail the logs? [N]> y

Do you want to paginate the output? [N]> n

Then wave the card at the workstation... You should see a log of what the WSA sees.

Hope that helps...

kjohnson1024 · ‎09-12-2011

I added both the FQDN and the network range to the proxy bypass, but still get the same results. I tried looking at the access logs, but they didn't return anything.

If I use the policy trace it always allows the trace with a user name, but the omnikey doesn't pass user creditials, so the WSA is denying the connection.

Also, if I disable the proxy in IE the connection works fine. Could this be an NTLM issue?

Thanks

Ken Stieers · ‎09-12-2011

OK. let me step back... I just reread your first message.

You're using transparent with WCCP, yes? So you don't need the IE proxy settings AT ALL, nor do you need the PAC file...

When you use WCCP, traffic bound for the internet goes to your router or firewall... if the router/firewall sees that the "web cache" (aka the WSA) is up and ready for traffice, it sends the traffic there instead of out to the next hop... If its not up, the traffc goes out. (aka it fails open... ) This means that the only traffic that gets to the WSA is traffic destined for the other side of the router/firewall.

If you use PAC, or set the proxy settings (manual or via group policy) you're forcing all traffic to the WSA (though you can configure exceptions on each machine).

Here's a doc on setting up a WSA that I used: (pg 16/17)

Note that there's no mention of proxy settings, PAC files, or any of that other fun...

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/H1CY11/SBA_Mid_BN_WebSecurityDeploymentGuide-H1CY11.pdf