The transparent redirection term first implied to me that the client will be totally unaware of the presence of a WSA proxy, however i delpoyed the following setup and found that the client is receiving HTTP proxy-redirect message (code 307) with source IP of the final destination server but i tells the client to request HTTP from the WSA. Redirection mode is L2 forwarding.
Here is the Setup:
My understanding of transperent redirection in this setup is:
- client sends HTTP GET request to the server
- the switch intercepts the GET and redirect it to the WSA
- the WSA sends the request to the server with source IP of the WSA
- the server replies to the WSA
- the WSA replies to the client (not sure if the source will be spoofed as server IP or WSA)
However, my findings were different... again http-redirect arrives at the client with WSA URL
The HTTP 307 redirect is likely coming because you are using authentication. The way the WSA performs NTLM authentication is to redirect the browser to access the WSA directly, so that NTLM authentication can happen. Once authenticated, another 307 will redirect it back to the original website.
If you are looking for a 100% transparent deployment, you may want to consider deploying the Cisco Context Directory Agent so that the WSA can ask the agent which user is logged onto that IP (instead of doing the NTLM authentication).
The term Transparent really just means the browser does not have a proxy setting.
Please note that the minimum cryptography settings in AnyConnect 4.9 have been increased. Please ensure that your head-end is properly configured for the more stringent cryptography settings (if applicable) or users will be unable to connect after updatin...
In this guide will we be taking a look at how to configure the web.config file using the URL Rewrite tool when deploying the TETRA update server. This guide is meant as a companion to the existing guides and to help fill in some in...
Note: This guide is provided as a best effort to better help users understand the potential impact running multiple clients with TETRA, SPERO, ETHOS, DFC and SHA256 Lookups enabled and their bandwidth usage. The sizes in these guides are s...
When I log into my application, I'm suddenly asked to create a new organization. Did something change or migrate? I already had an organization.
You may be starting from security.cisco.com and mistakenly clicking "SecureX sign-on...
I followed these instructions and setup all my accounts to use SecureX sign-on, including my AMP account (my Cisco Security Account - CSA). When I use SecureX, and I click on the AMP "launch" button, I have to login again. Why?