cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5908
Views
0
Helpful
4
Replies

Ironport not forwarding HTTPS traffic

neilcouston
Level 1
Level 1

We have recently been trying to setup a BYOD wireless network and the wireless Clients that join this network have their traffic routed directly to an Ironport S370 (Ver7.1.4-053) as we do not want the BYOD users to have to configure their proxy settings.

We have created an Identity which matches the Subnet given to BYOD devices with no authentication and then an Access Policy for filtering, all this works as long as the traffic is HTTP, as soon as you try to access anything using HTTPS then the Ironport seems to drop the traffic as it never hits the firewall and the page cannot be displayed.

Any domained clients which have the Ironport address as their proxy work fine.

The Ironport is not set to bypass any addresses in bypass settings.

I am sure there must be a simple answer as to why HTTPS traffic is not being forwarded and any pointers as to why this is would be gretly appreciated.

Many thanks,

Neil.

1 Accepted Solution

Accepted Solutions

Hi Igor and Neil,

As per AsyncOS 7.5 documentation, HTTPS proxy needs to be enabled to process HTTPS traffic in transparent mode.

following is the extract from the doco.

" When the Web Proxy is configured in transparent mode, you must enable the HTTPS Proxy if the appliance receives HTTPS traffic. When the HTTPS Proxy is disabled, the Web Proxy passes through explicit HTTPS connections and it drops transparently redirected HTTPS requests. The access logs contain the CONNECT requests for explicit HTTPS connections, but no entries exist for dropped transparently redirected HTTPS requests "

If you do not want to decrypt HTTPS traffic, you can enable HTTPS proxy in pass-through mode.

Thanks,
Wipula.

View solution in original post

4 Replies 4

Igor Rodriguez
Level 1
Level 1

Hello Neil,

Is HTTPS Proxy enabled on your Ironport?

If so, which is the default Decryption Policy? Do you have any configured?

If you do not have HTTPS Proxy enabled, make sure that HTTPS is not one of the blocked protocols on your Access policy.

Also, using Policy Trace could help, showing what is going on in your Ironport.

Hope this helps to guide you to the solution.

Best regards,

Igor

Igor,

HTTPS Proxy is not enabled, I have just run a Policy trace and with an HTTPS address and it seems it does not match any policy but cannot see why it would not match the BYOD access policy.

The result is below

Policy Match

IronPort Data Security policy: None

Decryption policy: None

Routing policy: Global Routing Policy

Identity policy: BYOD

Access policy: None

The BYOD access policy is set to match the BYOD Identity, I have tried altering the Protocols & User Agents but this seems to have no effect.

Thanks,

Neil.

Then maybe somebody else can confirm that in order to be able to view HTTPS sites HTTPS Proxy should be enabled?

I know that HTTPS appears as a protocol to enable or block in the Access Policy, but if it's enabled, then maybe it's because HTTPS Proxy is a must to view HTTPS websites.

Hi Igor and Neil,

As per AsyncOS 7.5 documentation, HTTPS proxy needs to be enabled to process HTTPS traffic in transparent mode.

following is the extract from the doco.

" When the Web Proxy is configured in transparent mode, you must enable the HTTPS Proxy if the appliance receives HTTPS traffic. When the HTTPS Proxy is disabled, the Web Proxy passes through explicit HTTPS connections and it drops transparently redirected HTTPS requests. The access logs contain the CONNECT requests for explicit HTTPS connections, but no entries exist for dropped transparently redirected HTTPS requests "

If you do not want to decrypt HTTPS traffic, you can enable HTTPS proxy in pass-through mode.

Thanks,
Wipula.