Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5665
Views
0
Helpful
4
Replies

Ironport not forwarding HTTPS traffic

Go to solution
neilcouston
Level 1
Level 1

‎07-29-2013 01:07 AM

We have recently been trying to setup a BYOD wireless network and the wireless Clients that join this network have their traffic routed directly to an Ironport S370 (Ver7.1.4-053) as we do not want the BYOD users to have to configure their proxy settings.

We have created an Identity which matches the Subnet given to BYOD devices with no authentication and then an Access Policy for filtering, all this works as long as the traffic is HTTP, as soon as you try to access anything using HTTPS then the Ironport seems to drop the traffic as it never hits the firewall and the page cannot be displayed.

Any domained clients which have the Ironport address as their proxy work fine.

The Ironport is not set to bypass any addresses in bypass settings.

I am sure there must be a simple answer as to why HTTPS traffic is not being forwarded and any pointers as to why this is would be gretly appreciated.

Many thanks,

Neil.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
wkw.bcdomain
Level 1
Level 1
In response to Igor Rodriguez

‎07-31-2013 06:57 AM

Hi Igor and Neil,

As per AsyncOS 7.5 documentation, HTTPS proxy needs to be enabled to process HTTPS traffic in transparent mode.

following is the extract from the doco.

" When the Web Proxy is configured in transparent mode, you must enable the HTTPS Proxy if the appliance receives HTTPS traffic. When the HTTPS Proxy is disabled, the Web Proxy passes through explicit HTTPS connections and it drops transparently redirected HTTPS requests. The access logs contain the CONNECT requests for explicit HTTPS connections, but no entries exist for dropped transparently redirected HTTPS requests "

If you do not want to decrypt HTTPS traffic, you can enable HTTPS proxy in pass-through mode.

Thanks,
Wipula.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Igor Rodriguez
Level 1
Level 1

‎07-29-2013 01:13 AM

Hello Neil,

Is HTTPS Proxy enabled on your Ironport?

If so, which is the default Decryption Policy? Do you have any configured?

If you do not have HTTPS Proxy enabled, make sure that HTTPS is not one of the blocked protocols on your Access policy.

Also, using Policy Trace could help, showing what is going on in your Ironport.

Hope this helps to guide you to the solution.

Best regards,

Igor

0 Helpful

Go to solution
neilcouston
Level 1
Level 1
In response to Igor Rodriguez

‎07-29-2013 01:40 AM

Igor,

HTTPS Proxy is not enabled, I have just run a Policy trace and with an HTTPS address and it seems it does not match any policy but cannot see why it would not match the BYOD access policy.

The result is below

Policy Match

IronPort Data Security policy: None

Decryption policy: None

Routing policy: Global Routing Policy

Identity policy: BYOD

Access policy: None

The BYOD access policy is set to match the BYOD Identity, I have tried altering the Protocols & User Agents but this seems to have no effect.

Thanks,

Neil.

0 Helpful

Go to solution
Igor Rodriguez
Level 1
Level 1
In response to neilcouston

‎07-29-2013 02:34 AM

Then maybe somebody else can confirm that in order to be able to view HTTPS sites HTTPS Proxy should be enabled?

I know that HTTPS appears as a protocol to enable or block in the Access Policy, but if it's enabled, then maybe it's because HTTPS Proxy is a must to view HTTPS websites.

0 Helpful

Go to solution
wkw.bcdomain
Level 1
Level 1
In response to Igor Rodriguez

‎07-31-2013 06:57 AM

Hi Igor and Neil,

As per AsyncOS 7.5 documentation, HTTPS proxy needs to be enabled to process HTTPS traffic in transparent mode.

following is the extract from the doco.

" When the Web Proxy is configured in transparent mode, you must enable the HTTPS Proxy if the appliance receives HTTPS traffic. When the HTTPS Proxy is disabled, the Web Proxy passes through explicit HTTPS connections and it drops transparently redirected HTTPS requests. The access logs contain the CONNECT requests for explicit HTTPS connections, but no entries exist for dropped transparently redirected HTTPS requests "

If you do not want to decrypt HTTPS traffic, you can enable HTTPS proxy in pass-through mode.

Thanks,
Wipula.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents