Solved: Re: IronPort S160/ASA5510 integration - PAC file and blocking Po

cpremo · ‎04-05-2011

We have successfully integrated our ASA5510 and IronPort S160 appliance with Active Directory and eDirectory. We've configured AD to push IE settings to use the IronPort proxy.pac file. Now we need to "Block" un-configured IE access to Port 80 traffic.

In my ASA i have a firewall exception for our WAN IP ranges (source) to any Destination port tcp/http, tcp/https and domain. If I remove the tcp/http from the exception "ALL" port 80 traffic stops, including those PCs configured to use the IronPort Poxy.pac file.

So where have I gone wrong? I want to block un-configured IE access to Port 80, forcing all users to pass through the IronPort appliance.

Ken Stieers · ‎04-06-2011

I'd have to see the ACL for sure, I'd bet you are missing a permit for port 80 from from the Ironport's ip address.

View solution in original post

Ken Stieers · ‎04-06-2011

I'd have to see the ACL for sure, I'd bet you are missing a permit for port 80 from from the Ironport's ip address.

cpremo · ‎04-06-2011

I hate this job. About 11:10 PM as I was trying to get ready for bed, I had the same thought. Of course I had to test it out, so back to the VPN connection I went and added the filter permit for port 80 for the Ironport's ip address and viola it worked. Thanks for answering my post just the same.

Ken Stieers · ‎04-13-2011

You need to permit the ip of the WSA to get out on port 80...

IronPort S160/ASA5510 integration - PAC file and blocking Port 80