Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1608
Views
0
Helpful
4
Replies

Question about https

Go to solution
andrewdours
Level 1
Level 1

‎02-10-2011 01:26 PM

I'm just over 6 months on the job and am new to the IronPort.  Found that users can still get to facebook and other web sites by using https.  Not sure if I need to enable the HTTPS proxy.  I don't really care to monitor the SSL session.  Our policy is just to limit access to certain web pages.  Can anyone advise.  We're using WCCP from an ASA firewall.  Thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
edadios
Cisco Employee
Cisco Employee

‎02-10-2011 03:05 PM

You will need to configure the proxy to do https proxy function.

The proxy only looks at traffic for ports it is configured to do so for http, https and ftp.

When you configure the https proxy function, the policy that will apply will be the one configured in the decryption policy for this traffic.

There will be more information on the GUI - > Top right hand side -> Support and Help -> Search for Decryption Policies.

I hope this information helps you.

Regards,

Eric

View solution in original post

0 Helpful

Go to solution
jowolfer
Level 1
Level 1
In response to edadios

‎02-11-2011 07:34 AM

To add on to what Eric is saying:

The decryption policies have a few different actions. To block facebook HTTPS traffic, there are a few different ways to do it, depending on your needs.

  • Add facebook.com and .facebook.com to a custom category
  • Or if you want to block all social networking sites, just modify the action for the "social networking" category.

In the decryption policies, here are your options for blocking:

  • Set the category to Drop. This means that the SSL connection will be abruptly terminated - NO BLOCK PAGE. Just a generic browser error will show up.
  • Set the category to Decrypt and then the access policies will apply. So if your access policies block facebook, facebook will be blocked.

One key thing to understand is that cookie surrogates won't provide auth credentials for HTTPS traffic, so if you're using cookie surrogates, your decryption policies will be for all users matching a "no auth" Identity. In short, this means that you can only "drop" HTTPS facebook traffic for EVERYONE, you can't pick and choose by user / group, unless you use IP surrogates.

This is due to technical limitations in how HTTPS proxies work with authentication.

Hope this helps.

Cheers,

Josh

View solution in original post

0 Helpful
4 Replies 4

Go to solution
edadios
Cisco Employee
Cisco Employee

‎02-10-2011 03:05 PM

You will need to configure the proxy to do https proxy function.

The proxy only looks at traffic for ports it is configured to do so for http, https and ftp.

When you configure the https proxy function, the policy that will apply will be the one configured in the decryption policy for this traffic.

There will be more information on the GUI - > Top right hand side -> Support and Help -> Search for Decryption Policies.

I hope this information helps you.

Regards,

Eric

0 Helpful

Go to solution
jowolfer
Level 1
Level 1
In response to edadios

‎02-11-2011 07:34 AM

To add on to what Eric is saying:

The decryption policies have a few different actions. To block facebook HTTPS traffic, there are a few different ways to do it, depending on your needs.

  • Add facebook.com and .facebook.com to a custom category
  • Or if you want to block all social networking sites, just modify the action for the "social networking" category.

In the decryption policies, here are your options for blocking:

  • Set the category to Drop. This means that the SSL connection will be abruptly terminated - NO BLOCK PAGE. Just a generic browser error will show up.
  • Set the category to Decrypt and then the access policies will apply. So if your access policies block facebook, facebook will be blocked.

One key thing to understand is that cookie surrogates won't provide auth credentials for HTTPS traffic, so if you're using cookie surrogates, your decryption policies will be for all users matching a "no auth" Identity. In short, this means that you can only "drop" HTTPS facebook traffic for EVERYONE, you can't pick and choose by user / group, unless you use IP surrogates.

This is due to technical limitations in how HTTPS proxies work with authentication.

Hope this helps.

Cheers,

Josh

0 Helpful

Go to solution
andrewdours
Level 1
Level 1
In response to jowolfer

‎02-18-2011 04:51 AM

Thanks Josh and Eric.  I did enable the HTTPS proxy and had the default action to Decrypt.  I only had Decrypt set for the categories that are blocked in our Web Proxy settings.  I changed it to Pass-Through, but still received many certificate errors while browsing to various secure sites that are allowed and set to Pass-Through in the Decryption Policy.  I did not load a certificate on the IronPort, but simply had one generated.  Could this be the cause of the certificate error issue?  Thanks again for your help.

Andrew

0 Helpful

Go to solution
hallvard.solem
Level 1
Level 1

‎02-18-2011 02:03 PM

You should not get certificate error on "pass through" sites, only on sites that is "decrypt", I think there might be a misconfiguration in your decrypt policies.

To get rid of the certificate errors when decrypting traffic, you will have to upload your domain CA root certificate to the appliance, and deploy client certificates to the users using the proxy.

0 Helpful
Customers Also Viewed These Support Documents