I'm trying to get the WSA to work when redirecting HTTP and HTTPS traffic along the lines of the following:
object network WSA-HOST
host 10.0.210.2
object network obj-10.0.1.0 subnet 10.0.1.0 255.255.255.0
object service ORIG-HTTP-PORT
service tcp destination eq www
object service WSA-HTTP-DEST-PORT
service tcp destination eq 8080
object service ORIG-HTTPS-PORT
service tcp destination eq https
object service WSA-HTTPS-DEST-PORT
service tcp destination eq https << also tried 8080 etc.
nat (inside,outside) source dynamic obj-10.0.1.0 interface destination static obj_any WSA-HOST service ORIG-HTTP-PORT WSA-HTTP-DEST-PORT
nat (inside,outside) source dynamic obj-10.0.1.0 interface destination static obj_any WSA-PROXY-HOST service ORIG-HTTPS-PORT WSA-HTTPS-DEST-PORT
This works just fine for HTTP, but with HTTPS I get the following response from the Ironport WSA:
Based on your corporate access policies, access to this web site ( https://www.rbsdigital.com/ ) has been blocked.
Notification codes: (1, POLICY, UNKNOWN, 0x00000082, 1329750248.609, QAAAAAAAAAAAAAAAyf8AAP8AAAD/AAAAAAAAAAAAAAE=,
https://www.rbsdigital.com/)
The access log gives me the following:
1329750248.602 404 10.0.4.140 NONE_SSL/200 0 TCP_CONNECT 10.0.210.2:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -
1329750248.609 0 10.0.4.140 TCP_DENIED_SSL/403 1840 GET https://www.rbsdigital.com:443/ - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -
If anyone has any idea why the WSA simply denies the connection instead of proxying it then I'd be grateful.
The WSA and the decryption policies work fine in explisit mode.
Thanks in advance!
