Mobile applications should work through the WSA.  The known problem is that they do not support authentication.  Web browsers on the mobile devices will likely prompt you to enter in your username/password.

You can actually bypass authentication using the User Agent of the application.  A quick way to get the user agent for the application in question is to bypass authentication for the entire IP address.  Next, go to System Administration, Log Subscriptions > accesslogs.  Under Custom Fields, add %u to it.

Next, you'd need to 'grep tail' your access logs while using the application.  The User Agent will be located at the end of the access log entry.  To 'grep tail' your access logs:

SSH into the WSA and run the following command from the CLI:

1. grep

2. Enter the number of the log you wish to grep: 1 (for accesslogs)

3. Enter the regular expression to grep: The client’s IP address 

  NOTE: Any RegEX compliant value can be used with 'grep'

4. Do you want this search to be case insensitive?: Y

5. Do you want to search for non-matching lines?: N

6. Do you want to tail the logs?:Y

7. Do you want to paginate the output?:N

If your applications do not work even though you have placed your IP address into the Proxy Bypass settings (and using WCCP), you may have a more serious issue.

Thanks much for the reply. I'm going to give this a try when I get back into the office. I already remoted in and added the %u to the cutom field of the access logs. I have already used grep in the past with the accesslogs so that part should be easy. I report back with results.

.

Thanks again

Jeff

To add onto Vance's answer, it also deals with https and decyrption.  With third party applications, they have the security certificates built into the application.  So when the Ironport decrypts and signs the certificate, the application will not trust that certificate as it does not match the certificate in the application.

However you should not be seeing the issue when you bypass the IP for the phone. Can you try bypassing the IP in the WCCP router?  To do this add to the access list and put in a deny statement at the top with the source IP being the phone's IP.

Christian Rahl

Customer Support Engineer                      

Cisco IronPort - Web Security Appliances

Cisco Technical Assistance Center RTP

United States Ironport: 1-877-641-IRON (4766)

Okay; not so good with passing this traffic.

I have added an identity with the user agents below

Android/4.0.4-EAS-1.3; Twitter/4.3.2 CFNetwork/548.1.4 Darwin/11.0.0 (What the accesslogs gave me when I did a grep)

I tested with the IP from my phone and set the identity to no authentication and I have the same result.

Before I made this post I had also taken one of my IP's that needed access to Twitter and put its IP in the proxy bypass by going to web secutity->bypass settings->and added IP there. I could not get to Twitter with that method either.

I can't modify an access-list to bypass because there really isn't one. Basically WCCP redirects traffic based on VLAN. If you are a member of that VLAN then you go to the Ironport, and policy is pretty much mandated there.

Any other ideas....that don't require a redesign

Call the TAC. Putting the IP into the proxy bypass and it still not working, usually indicates something other than the Ironport is breaking the box.  However we would need to do a packet capture on the Ironport and as close to the mobile device as possible to see what could be happening.

Christian Rahl

Customer Support Engineer                      

Cisco IronPort - Web Security Appliances

Cisco Technical Assistance Center RTP

United States Ironport: 1-877-641-IRON (4766)

I got the proxy bypass working. I made a TAC case and by the time the Support Engineer called I had it figured out.

I'm fairly new where I work so I haven't really got to the point where I know all of the configs for the whole network and I'm the only guy they have, but I noticed something on the Ironport;

There is an Identity called mobile devices that has no authentication setup, and it is defined by a subnet. People are placed into that subnet by signing an acceptable use form. Their MAC is added to a DHCP reservation within that subnet.

My questions are:

a) to me this seems like it would work and I would not need to define any user agents because the no authentication applies to the whole IP not just a mobile app. Is this correct?

b) using this identity currently does not work. I have check access policies and I'm not seeing anything that would prevent access to the URL, and no authentication is setup in the Identity. The behavior I'm seeing looks like it does when it's not passing the user/pass.

c) in reference to (b) I read something on the "no authentication" drop down on Identites that said something along the lines of "no authentication my not work if something has higher priority". So what I did just before I left yesterday was to move the mobile access policy to the top policy, because when reading that last statement it made me think that access policies have a top down approch.

So should using the mobile Identity mentioned above work, or do I still need to define user agents?

Do you still have the tac case open? If so please PM me the number.

a) to me this seems like it would work and I would not need to define  any user agents because the no authentication applies to the whole IP  not just a mobile app. Is this correct?

This should work. Make sure you look at your decryption policies and that this mobile identity is tied to a decryption policy.  You are correct, the IP will identify the device. You can create access policies based on the IP and then further filterd down by User agent. However, you do not want to do that in this case.

b)  using this identity currently does not work. I have check access  policies and I'm not seeing anything that would prevent access to the  URL, and no authentication is setup in the Identity. The behavior I'm  seeing looks like it does when it's not passing the user/pass.

Do you have the identity tied to a very specific access policy?  Where is the identity and access policy in relation to the authentication identities?

c)  in reference to (b) I read something on the "no authentication" drop  down on Identites that said something along the lines of "no  authentication my not work if something has higher priority". So what I  did just before I left yesterday was to move the mobile access policy to  the top policy, because when reading that last statement it made me  think that access policies have a top down approch.

In general everything is top down, left to right.

So should using the mobile Identity mentioned above work, or do I still need to define user agents?

That should work.

No I had the guy close it because I opened it as a proxy bypass issue, and that is resolved. He did say that most iPhone user agents will pass with just using "iPhone" as the string although we are beyond that now.

This should work. Make sure you look at your decryption policies and that this mobile identity is tied to a decryption policy.

All traffic that passes through our Ironport is a member of the same decryption policy.

Do you have the identity tied to a very specific access policy?

Yes. both the Identity and access policies apply to users with 10.128.18.230-250 and is further broke down in the access policy with 10.128.18.230-239 as a general mobile policy, and 10.128.18.240-250 as an IT mobile policy with a bit more access allowed...and again the identity has no authentication selected with no other parameters.

Where is the identity and access policy in relation to the authentication identities?

Not sure what you mean...authentication realm?

OH YEAH!!!! Thank you.

Works like a charm and still have full control!!!

Now I would just play with what actually is needed to bypass and what is needed to be decrypted. Decrypting traffic will only break mobile phone applications. It will not break the browsers in the phones. Unless the browser cannot handle untrusted certificates.

Will do. I've got of that in place right now.

Thanks Again.