Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
0
Helpful
3
Replies

Ironport decrypting traffic on its own

Michael Cole
Level 1
Level 1

‎08-27-2013 02:02 PM

We had a situation come up today;  we have users that access a site that uses digital certificates (Fedline) for access, and it stopped worked for all users at  multiple branches this morning.  It didn't give any kind of error message - the login (user/pass) page for the site was fully accessible.  Since we are set up with certificates, we don't have the login credentials.  The distant end swore up and down that everything was good on their end. (and it was.)

Turns out, Ironport started dropping/decrypting traffic to that IP address.   The fix action was to add the decrypted IP to our 'Nodecrypt' category.  This had been functioning correctly for months, but we are concerned because it caused a significant outage, and we didn't make any changes to Ironport, but it definitely started treating the traffic destined for that IP differently.  What would cause this kind of behavior?  Is there a way to stop it from doing this again? 

Mike C

Labels:
0 Helpful
3 Replies 3

Ken Stieers
VIP
VIP

‎08-27-2013 02:19 PM

I had this issue with a bank or two using Entrust, when I added Entrust's intermediate cert to the the WSA, it started decrypting traffic.  I'm not sure if its a bug in the WSA where they aren't following the chain, or if the web site should be importing the intermediate cert...

Assuming IE, View the cert using the browser, on the details tab, click the Copy to File button, save it as a Base-64 encoded x.509.

Then in the WSA, to go Security Services/HTTPS Proxy, click on Manage Trusted Root Certificates... near the bottom, and import the new one.

0 Helpful

Michael Cole
Level 1
Level 1
In response to Ken Stieers

‎08-28-2013 06:38 AM

Thanks Ken...  but what I am not clear on is why Ironport started treating this traffic differently out of the blue, without any configuration changes.  It happened again this morning with a different IP, same site (although I think importing the certificate like you said would have prevented it from happening, I am off to find a user with the cert)

Just really frustrating and we REALLY want to avoid surprises like this in the future.  If anyone has any ideas on how to prevent this from happening again I am all ears.

0 Helpful

Ken Stieers
VIP
VIP
In response to Michael Cole

‎08-28-2013 07:14 AM

Michael,

The piece you're missing is that the web site updated their cert... and/or didn't upload the intermediate cert to the web server.

It was issued 4/10/13, and given how high profile this is, they may not have actually rolled it public without testing etc. so you may not have seen it until now...

You don't have to go find a user, you can get the public and intermediate certs for Entrust yourself, either by going to the site in question using the browser to export each cert, or from Entrust:http://www.entrust.net/knowledge-base/technote.cfm?tn=7869

Now, there is a spot for Cisco to do something here... as the already ship with the Entrust 2048 cert in their trusted store, so why intermediate stuff isn't working, I don't know... Maybe someone from Cisco can pipe in here...

Ken

0 Helpful
Customers Also Viewed These Support Documents