HTTPS SSL client certificate issue in explicit mode

Chirag Prajapati · ‎12-19-2013

Hi,

I have issue in cisco ironport explicit forwaerd mode where in client is trying to connect to external website, In response from the server certificate in reaching to client.

HTTPS proxy mode is not enabled in WSA. Client is using software to connect to the server. I have attached wireshark output in which ssl handshake saying certificate length 0.

Website is https://esrs-core.emc.com.

OS version is 7.5.1.

Please suggest.

Regards

Chirag

Chirag Prajapati · ‎12-19-2013

Sorry i mean certificate is not reaching to client.

Vance Kwan · ‎12-21-2013

Chirag,

If HTTPS proxy is not enabled, then you will have to tunnel the traffic out. You may add port 443 as an HTTP Connect port in the Protocols sections in the Access Policies.

-Vance

Chirag Prajapati · ‎12-22-2013

Hi Vance,

You mean include https protocol in access policy. if it is then its already included. (http, https and ftp). please confirm i understood it correctly.

Regards

Chirag

Vance Kwan · ‎12-22-2013

I believe HTTP , HTTPS, and FTP you mentioned are shown with radio buttons next to them to BLOCK is that correct? Make sure it is not blocked. On the field below that, make sure port "443" is included as an "HTTP Connect Port."

-Vance

Chirag Prajapati · ‎12-23-2013

Hi Vance,

In http outbound tunnel is allowed with ports 1- 65535. Here issue is while communication between client and server certificate length was 0 which means SSL communication is not happening properly

Regards

Chirag

Vance Kwan · ‎12-23-2013

Chirag,

I would recommend that you open a TAC case for them to troubleshoot as to what the issue may be. If you are tunnelling the traffic out, the WSA should not be modifying any certificate information.

-Vance