02-10-2011 01:26 PM
I'm just over 6 months on the job and am new to the IronPort. Found that users can still get to facebook and other web sites by using https. Not sure if I need to enable the HTTPS proxy. I don't really care to monitor the SSL session. Our policy is just to limit access to certain web pages. Can anyone advise. We're using WCCP from an ASA firewall. Thanks.
Solved! Go to Solution.
02-10-2011 03:05 PM
You will need to configure the proxy to do https proxy function.
The proxy only looks at traffic for ports it is configured to do so for http, https and ftp.
When you configure the https proxy function, the policy that will apply will be the one configured in the decryption policy for this traffic.
There will be more information on the GUI - > Top right hand side -> Support and Help -> Search for Decryption Policies.
I hope this information helps you.
Regards,
Eric
02-11-2011 07:34 AM
To add on to what Eric is saying:
The decryption policies have a few different actions. To block facebook HTTPS traffic, there are a few different ways to do it, depending on your needs.
In the decryption policies, here are your options for blocking:
One key thing to understand is that cookie surrogates won't provide auth credentials for HTTPS traffic, so if you're using cookie surrogates, your decryption policies will be for all users matching a "no auth" Identity. In short, this means that you can only "drop" HTTPS facebook traffic for EVERYONE, you can't pick and choose by user / group, unless you use IP surrogates.
This is due to technical limitations in how HTTPS proxies work with authentication.
Hope this helps.
Cheers,
Josh
02-10-2011 03:05 PM
You will need to configure the proxy to do https proxy function.
The proxy only looks at traffic for ports it is configured to do so for http, https and ftp.
When you configure the https proxy function, the policy that will apply will be the one configured in the decryption policy for this traffic.
There will be more information on the GUI - > Top right hand side -> Support and Help -> Search for Decryption Policies.
I hope this information helps you.
Regards,
Eric
02-11-2011 07:34 AM
To add on to what Eric is saying:
The decryption policies have a few different actions. To block facebook HTTPS traffic, there are a few different ways to do it, depending on your needs.
In the decryption policies, here are your options for blocking:
One key thing to understand is that cookie surrogates won't provide auth credentials for HTTPS traffic, so if you're using cookie surrogates, your decryption policies will be for all users matching a "no auth" Identity. In short, this means that you can only "drop" HTTPS facebook traffic for EVERYONE, you can't pick and choose by user / group, unless you use IP surrogates.
This is due to technical limitations in how HTTPS proxies work with authentication.
Hope this helps.
Cheers,
Josh
02-18-2011 04:51 AM
Thanks Josh and Eric. I did enable the HTTPS proxy and had the default action to Decrypt. I only had Decrypt set for the categories that are blocked in our Web Proxy settings. I changed it to Pass-Through, but still received many certificate errors while browsing to various secure sites that are allowed and set to Pass-Through in the Decryption Policy. I did not load a certificate on the IronPort, but simply had one generated. Could this be the cause of the certificate error issue? Thanks again for your help.
Andrew
02-18-2011 02:03 PM
You should not get certificate error on "pass through" sites, only on sites that is "decrypt", I think there might be a misconfiguration in your decrypt policies.
To get rid of the certificate errors when decrypting traffic, you will have to upload your domain CA root certificate to the appliance, and deploy client certificates to the users using the proxy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide