03-15-2011 04:19 PM
Hello all,
I thought surely someone has seen this issue but i haven't seen any discussions so i will start one. Some of our IT users have recently upgraded to Microsoft Internet Explorer 9 for testing purposes from IE 8. It appears that IE 9 bypasses user and ip address identities in IronPort all together, and blocks based on AVC (Application Visibility Controls) vs URL filters on some sites. Doesnt matter what AD group, IP range, etc. the user belongs to, sites are blocked which were previously allowed in IE8. I have been bombarded with phone calls asking why this and that were blocked but the only change in the environment is the users install of IE9. No configurations have changed on the WSA in over a month. Same issue with Firefox 3.6 but that is a known issue. I have not found a way to allow use of IE 9 in conjunction with a WSA running AVC controls. Does anyone know if Cisco will release an AsyncOS that will allow IE9 user agents in the future or if anyone knows of a workaround for this, i would be greatly appreciative if you could share it.
Thanks to all who can share information or provide feedback on this issue.
Solved! Go to Solution.
03-15-2011 05:26 PM
Hello,
Is this wccp or explicit forward setup?
Can you please specify which site you said were the certain sites you are having problems with, and site that does work.
Which AVC do you have set?
I just tested with a configuration of ntlm auth, explicit forward, and with blocking news site, and I am blocked based on CIWUC, and my AVC are also enabled.
Can you share some access logs example for the problem traffic.
Thanks,
Eric
Blocked by CIWUC though AVC is als configured to block Facebook.
1300234626.193 2 64.104.205.215 TCP_DENIED/403 2228 GET http://www.facebook.com/ "INT-IP\ericuser1@NTLM" NONE/- - BLOCK_WEBCAT_11-erictest-erictest-NONE-NONE-NONE-NONE
Disabled CIWUC block, and left AVC to block
1300234726.043 1 64.104.205.215 TCP_DENIED/403 2054 GET http://www.facebook.com/ "INT-IP\ericuser1@NTLM" NONE/- - BLOCK_AVC_11-erictest-erictest-NONE-NONE-NONE-NONE
03-15-2011 05:26 PM
Hello,
Is this wccp or explicit forward setup?
Can you please specify which site you said were the certain sites you are having problems with, and site that does work.
Which AVC do you have set?
I just tested with a configuration of ntlm auth, explicit forward, and with blocking news site, and I am blocked based on CIWUC, and my AVC are also enabled.
Can you share some access logs example for the problem traffic.
Thanks,
Eric
Blocked by CIWUC though AVC is als configured to block Facebook.
1300234626.193 2 64.104.205.215 TCP_DENIED/403 2228 GET http://www.facebook.com/ "INT-IP\ericuser1@NTLM" NONE/- - BLOCK_WEBCAT_11-erictest-erictest-NONE-NONE-NONE-NONE
Disabled CIWUC block, and left AVC to block
1300234726.043 1 64.104.205.215 TCP_DENIED/403 2054 GET http://www.facebook.com/ "INT-IP\ericuser1@NTLM" NONE/- - BLOCK_AVC_11-erictest-erictest-NONE-NONE-NONE-NONE
03-29-2011 03:05 PM
I just fixed this about 10 minutes ago. AVC was blocking on an Auth exempt identity causing all traffic with that cirteria to be blocked and not even enter the webcat.
Thanks for your insights, edadios!! They helped tremendously.
09-24-2014 02:30 PM
Hello friends,
Would you share with me a procedure to block skype with Ironport WSA-S-170?
Regards!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide