Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
0
Helpful
4
Replies

Toying with https inspection. Do access lists now have to be in decryption policies?

keithsauer507
Level 5
Level 5

‎01-16-2015 10:46 AM

Hello,

 

I am toying with https inspection.  I am wondering now with the WCCP redirect from the firewall for https on two of our test IP's (before rolling it in production), if I need to basically duplicate all of my Access Policies on the Decrypt Policies.  Is Access Policies just for http websites and Decrypt Policies just for https websites, or am I wrong?

 

Lets say you want facebook blocked.  In Access Policies it is blocked by default, unless you fall into an upper category like AD group Management for example.  Well facebook has both an http and an https (now increasingly more common) site.  So could they just circumvent this block by typing in https?  They can do that now (since were not inspecting https), but we want to put a stop to that.

 

I tested and put drop for social networking but we just get a page cannot be displayed then on our test machine.  We don't even get redirected to our server hosting the "you are blocked" page.

Labels:
0 Helpful
4 Replies 4

Ken Stieers
VIP
VIP

‎01-16-2015 02:17 PM

 

You want to monitor Social Networking in HTTPS and block it in the Access policy.

The HTTPS proxy settings just deal with whether or not to decrypt the data.  Access policies still do the actual access limitations.

0 Helpful

keithsauer507
Level 5
Level 5
In response to Ken Stieers

‎01-19-2015 01:14 PM

Ok so its fine to have a global decription policy that has everything set to monitor, and just continue to let the access policy do all the work?

 

At least if you "hit" on an access policy, the WLC forwards us to our customized block page.  In decryption policy if you hit drop, quite understandably so you just get a page cannot be displayed (since it is dropped of course).

 

When would the "decrypt" option be a good idea?

0 Helpful

Ken Stieers
VIP
VIP
In response to keithsauer507

‎01-19-2015 01:24 PM

I set decrypt on stuff that's marginal... We don't block it, but has a better chance of having malware, etc.

Here's a partial list of what we decrypt

  • email
  • personal domains
  • NGOs
  • Parked domains
  • Photo sites
  • NGO's
  • Dynamic/Residential
  • Fashion

 

 

0 Helpful

keithsauer507
Level 5
Level 5
In response to Ken Stieers

‎01-19-2015 02:36 PM

Thanks.  Good idea.  That makes sense now.

0 Helpful
Customers Also Viewed These Support Documents