07-29-2013 01:07 AM
We have recently been trying to setup a BYOD wireless network and the wireless Clients that join this network have their traffic routed directly to an Ironport S370 (Ver7.1.4-053) as we do not want the BYOD users to have to configure their proxy settings.
We have created an Identity which matches the Subnet given to BYOD devices with no authentication and then an Access Policy for filtering, all this works as long as the traffic is HTTP, as soon as you try to access anything using HTTPS then the Ironport seems to drop the traffic as it never hits the firewall and the page cannot be displayed.
Any domained clients which have the Ironport address as their proxy work fine.
The Ironport is not set to bypass any addresses in bypass settings.
I am sure there must be a simple answer as to why HTTPS traffic is not being forwarded and any pointers as to why this is would be gretly appreciated.
Many thanks,
Neil.
Solved! Go to Solution.
07-31-2013 06:57 AM
Hi Igor and Neil,
As per AsyncOS 7.5 documentation, HTTPS proxy needs to be enabled to process HTTPS traffic in transparent mode.
following is the extract from the doco.
" When the Web Proxy is configured in transparent mode, you must enable the HTTPS Proxy if the appliance receives HTTPS traffic. When the HTTPS Proxy is disabled, the Web Proxy passes through explicit HTTPS connections and it drops transparently redirected HTTPS requests. The access logs contain the CONNECT requests for explicit HTTPS connections, but no entries exist for dropped transparently redirected HTTPS requests "
If you do not want to decrypt HTTPS traffic, you can enable HTTPS proxy in pass-through mode.
Thanks,
Wipula.
07-29-2013 01:13 AM
Hello Neil,
Is HTTPS Proxy enabled on your Ironport?
If so, which is the default Decryption Policy? Do you have any configured?
If you do not have HTTPS Proxy enabled, make sure that HTTPS is not one of the blocked protocols on your Access policy.
Also, using Policy Trace could help, showing what is going on in your Ironport.
Hope this helps to guide you to the solution.
Best regards,
Igor
07-29-2013 01:40 AM
Igor,
HTTPS Proxy is not enabled, I have just run a Policy trace and with an HTTPS address and it seems it does not match any policy but cannot see why it would not match the BYOD access policy.
The result is below
Policy Match
IronPort Data Security policy: None
Decryption policy: None
Routing policy: Global Routing Policy
Identity policy: BYOD
Access policy: None
The BYOD access policy is set to match the BYOD Identity, I have tried altering the Protocols & User Agents but this seems to have no effect.
Thanks,
Neil.
07-29-2013 02:34 AM
Then maybe somebody else can confirm that in order to be able to view HTTPS sites HTTPS Proxy should be enabled?
I know that HTTPS appears as a protocol to enable or block in the Access Policy, but if it's enabled, then maybe it's because HTTPS Proxy is a must to view HTTPS websites.
07-31-2013 06:57 AM
Hi Igor and Neil,
As per AsyncOS 7.5 documentation, HTTPS proxy needs to be enabled to process HTTPS traffic in transparent mode.
following is the extract from the doco.
" When the Web Proxy is configured in transparent mode, you must enable the HTTPS Proxy if the appliance receives HTTPS traffic. When the HTTPS Proxy is disabled, the Web Proxy passes through explicit HTTPS connections and it drops transparently redirected HTTPS requests. The access logs contain the CONNECT requests for explicit HTTPS connections, but no entries exist for dropped transparently redirected HTTPS requests "
If you do not want to decrypt HTTPS traffic, you can enable HTTPS proxy in pass-through mode.
Thanks,
Wipula.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide