WCCP, SSL and noDecrypt

christopherhudel · ‎09-22-2011

Hello,

I had previously used another Web Security Appliance in an in-line mode and now we have implemented Ironports in a transparent proxy w/ WCCP redirection. I want to monitor/block SSL websites from a category-only perspective, without any decryption. How is this configuration possible in my environment?

The documentation indicates there is a "passthrough" capability but also seems to suggest fairly strongly that you still to install a certificate and perform some form of decryption?

Thoughts? thanks.

Ken Stieers · ‎09-22-2011

I think you could get way with it by turning off the HTTPS proxy and adding 443 to the ports for the HTTP proxy. But you'll lose a bunch of functionality that way. The URL gets encrypted after the SSL connection gets built, so you'll lose the granulartiy that may exist in the categories based on URL. Also if you don't decrypt, you lose the Dynamic Content engine, and application visibility since that's all in the tunnel, which you don't see.

WCCP, SSL and noDecrypt

WCCP redirection will

Cisco Umbrella DNS - Intelligent Proxy e SSL Decryption

リモートアクセス SSL VPN（Cisco AnyConnect）を設定する

WSA Transparent WCCP Options (FTD or 4500X Switch WCCP)?

WSA/ASA: WCCPの設定方法

WCCP, SSL and noDecrypt

WCCP redirection will

Cisco Umbrella DNS - Intelligent Proxy e SSL Decryption

リモート アクセス SSL VPN（Cisco AnyConnect）を設定する

WSA Transparent WCCP Options (FTD or 4500X Switch WCCP)?

WSA/ASA: WCCPの設定方法

リモートアクセス SSL VPN（Cisco AnyConnect）を設定する