I configured WSA Ironport with WCCP - ASA, transparent proxy. I configured some Custom URL sites, and some categories to be warned by the WSA. User should click on a URL link on the warn page to access the site.
Doing so, he get an page saying:
The system cannot communicate with the external server ( private252.wsa.cio.olympic.org ). The Internet server may be busy, may be permanently down, or may be unreachable because of network problems.
Please check the spelling of the Internet address entered. If it is correct, try this request later.
If you have questions, please contact your organization's network administrator and provide the codes shown below.
The URL on the link is:
URL: GET http://private252.wsa.cio.olympic.org/A8:3600:14400:0000000054e8c503/d49c2ba41765f4cf4adec4bf4934493217f6737376a7fc8609c299d8970f3a41/1424268290/http://www.nicolas.com
private252.wsa..... is the address of the WSA
Can somebody help?
Are you using authentication for this traffics?
if yes, check your redirect hostname for authentication under GUI -> Network -> Redirect Hostname and make sure you are using single word hostname instead of FQDN and that single word hostname must be resolving to your data interface of WSA by client machines. (e.g. P1 or just Management interface if you are only using single interface).
If your browser non-IE, for example Mozilla Firefox, you will need to add the redirect hostname of WSA to its trusted site. (type about:config in firefox -> search html key word -> double click on network.automatic-ntlm-auth.trusted-uris -> enter your redirect hostname to this section)
Hope this helps.
Many thanks for your answer. I am using transparent authentication, and your sugestion did not help.
In fact this is the Web Security Appliance how send this URL in reply to the warn page. It seems it does not understand its own URL.
If I configure the proxy in Firefox, it works....
Can you share the access logs from the WSA when you are using Internet browser that having issue and access logs using Firefox (no issue) to compare.
here is the log with URL "www.nicolas.com":
1424694823.513 0 172.20.111.156 NONE/504 0 GET http://private252.wsa.cio.olympic.org/A8:3600:14400:28556e61757468656e74696361746564293137322e32302e3131312e313536405f5f67756573745f7265616c6d5f5f@0000000054eb1e1f/cbecfb66725ae214f7b69a9e1075ae2d3b73f0dd42b961a0509dec6f84439250/1424268290/http://www... - DIRECT/private252.wsa.cio.olympic.org - ALLOW_CUSTOMCAT_12-DefaultGroup-eun_internal_group-NONE-NONE-NONE-DefaultGroup <C_Whit,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> -
From the access logs, it is getting gateway time out /504 which normally indicating there is network problem. And looks like it is redirecting the traffic to itself, this behaviour normally the case if you have end-user acknowledgement and notification enabled and customised.
Would recommend that you open a TAC case for this to investigate further and the engineer can analyse your appliance and configuration from the tunnel access of the appliance