Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3830
Views
0
Helpful
3
Replies

Ironport AsyncOS 7.1.1 and IE 9

Go to solution
bwilloby46
Level 1
Level 1

‎03-15-2011 04:19 PM

Hello all,

I thought surely someone has seen this issue but i haven't seen any discussions so i will start one.  Some of our IT users have recently upgraded to Microsoft Internet Explorer 9 for testing purposes from IE 8.  It appears that IE 9 bypasses user and ip address identities in IronPort all together, and blocks based on AVC (Application Visibility Controls) vs URL filters on some sites.  Doesnt matter what AD group, IP range, etc. the user belongs to, sites are blocked which were previously allowed in IE8.  I have been bombarded with phone calls asking why this and that were blocked but the only change in the environment is the users install of IE9.  No configurations have changed on the WSA in over a month.  Same issue with Firefox 3.6 but that is a known issue.  I have not found a way to allow use of IE 9 in conjunction with a WSA running AVC controls.  Does anyone know if Cisco will release an AsyncOS that will allow IE9 user agents in the future or if anyone knows of a workaround for this, i would be greatly appreciative if you could share it.

Thanks to all who can share information or provide feedback on this issue.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
edadios
Cisco Employee
Cisco Employee

‎03-15-2011 05:26 PM

Hello,

Is this wccp or explicit forward setup?

Can you please specify which site you said were the certain sites you are having problems with, and site that does work.

Which AVC do you have set?

I just tested with a configuration of ntlm auth, explicit forward, and with blocking news site, and I am blocked based on CIWUC, and my AVC are also enabled.

Can you share some access logs example for the problem traffic.

Thanks,

Eric

Blocked by CIWUC though AVC is als configured to block Facebook.

1300234626.193 2 64.104.205.215 TCP_DENIED/403 2228 GET http://www.facebook.com/ "INT-IP\ericuser1@NTLM" NONE/- - BLOCK_WEBCAT_11-erictest-erictest-NONE-NONE-NONE-NONE - 2011-03-16 08:17:130

Disabled CIWUC block, and left AVC to block


1300234726.043 1 64.104.205.215 TCP_DENIED/403 2054 GET http://www.facebook.com/ "INT-IP\ericuser1@NTLM" NONE/- - BLOCK_AVC_11-erictest-erictest-NONE-NONE-NONE-NONE - 2011-03-16 08:18:130 -

View solution in original post

0 Helpful
3 Replies 3

Go to solution
edadios
Cisco Employee
Cisco Employee

‎03-15-2011 05:26 PM

Hello,

Is this wccp or explicit forward setup?

Can you please specify which site you said were the certain sites you are having problems with, and site that does work.

Which AVC do you have set?

I just tested with a configuration of ntlm auth, explicit forward, and with blocking news site, and I am blocked based on CIWUC, and my AVC are also enabled.

Can you share some access logs example for the problem traffic.

Thanks,

Eric

Blocked by CIWUC though AVC is als configured to block Facebook.

1300234626.193 2 64.104.205.215 TCP_DENIED/403 2228 GET http://www.facebook.com/ "INT-IP\ericuser1@NTLM" NONE/- - BLOCK_WEBCAT_11-erictest-erictest-NONE-NONE-NONE-NONE - 2011-03-16 08:17:130

Disabled CIWUC block, and left AVC to block


1300234726.043 1 64.104.205.215 TCP_DENIED/403 2054 GET http://www.facebook.com/ "INT-IP\ericuser1@NTLM" NONE/- - BLOCK_AVC_11-erictest-erictest-NONE-NONE-NONE-NONE - 2011-03-16 08:18:130 -

0 Helpful

Go to solution
bwilloby46
Level 1
Level 1
In response to edadios

‎03-29-2011 03:05 PM

I just fixed this about 10 minutes ago.  AVC was blocking on an Auth exempt identity causing all traffic with that cirteria to be blocked and not even enter the webcat.

Thanks for your insights, edadios!!  They helped tremendously.

0 Helpful

Go to solution
alexdelangel
Level 1
Level 1
In response to bwilloby46

‎09-24-2014 02:30 PM

Hello friends,

Would you share with me a procedure to block skype with Ironport WSA-S-170?

Regards!

0 Helpful
Customers Also Viewed These Support Documents