Transparent Proxy

ahamadfaiz · ‎04-01-2013

Hi All,

Good Day!

We have just changed our IronPort WSA proxy from Explicit Forward to Transparent Mode.

We are using Cisco ASA inside interface to redirect traffic to IronPort WSA. The WSA is also reachable via the inside interface per Cisco requirement.

We are able to browse internet through this proxy from PC as well as from mobile devices. Also most of the mobile applications are working too.

The query is that if we need to do any specific changes in WSA or ASA in order to enable applications using ports other than 80 and 443. For example, there are some online games or whatsapp that needs to access internet on ports other than 80 and 443. Is there any change required for these mobile applications to work through WSA.

Please assist.

WSA Model: S670

Version: 7.1.4-053

Thank you.

Faiz

Luis Silva Benavides · ‎05-30-2013

Hi Faiz,

For sure you don't have to change anything on the ASA. On the WSA I don't think you have to do any change but are you facing any issues?

Thanks!

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva

ahamadfaiz · ‎06-05-2013

Hi Luis,

Well, it appears that the WSA in transparent mode does not work as good as when it is in explicit forward mode.

We are facing many issues with it.

We were not able to get applications that use ports other than 80 or 443 to work throuhg the transparent proxy. For example, whatsapp uses port 5222 for initial connection and then sends the rest of the traffic over 443. But it never got connected while using transparent proxy.

I had started another discussion as well: https://supportforums.cisco.com/message/3930488#3930488

It would be great if you could assist me with this.

Regards,

Faiz

bechara33 · ‎06-05-2013

Are you authenticating mobile dovices?

mobile devices shouldnt be authenticated in order to apps to work,

Ken Stieers · ‎06-05-2013

Faiz,

On the Network/Transparent Redirection page, what ports do you have listed? You can only have 8, and I don't think it allows ranges. (its a WCCP limitation)

And on the ASA, what does your redirect acl look like? Here's mine, (don't redirect inbound traffic, don't bounce traffic from WSA on .11 and wsa on .20, redirect all outbound)

ahamadfaiz · ‎06-12-2013

Hi All,

I am sorry for the delay.

I am not using authentication for mobile devices.

My WSA transparent proxy configuration is similar to what is there in the screenshot.

However, the ACLs are not exactly the same. I do not have the Deny ACLs in place. I have just allowed the subnet that requires internet access in the WCCP redirect ACL.

I understand why you have the Deny ACLs. But the WCCP redirection works fine for all HTTP and HTTPS traffic. It just doesnt work for sites that work on other ports. So, do I really need to add those deny ACLs as well?

Please assist.

Regards,

Faiz

Mustapha Arakji · ‎07-16-2013

Hi,

I removed authenticaiton for one of my smartphones, and it's working know. Also I understand that there's a feature request,

https://supportforums.cisco.com/thread/2208540 but there's no current workaournd?

Regards,

Luis Silva Benavides · ‎07-16-2013

Hi,

You can engage the Account Team in order to expedite the resolution of the enhancement request.

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva

Mustapha Arakji · ‎07-30-2013

Hi,

Now i have my WSA in Explicit mode, SmartPhones are not authenicated, but i can't get the WhatsApp working...

Any ideas? Should I intercept the port 5222 on my WSA.

Regards,