cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

521
Views
0
Helpful
5
Replies
Beginner

WSA ASA WCCP Redirection for HTTPS traffic

My WSA appliances can service http/https traffic when configured in explicit forward mode (no WSA https proxy enabled).

However I am unable to get Transparent mode https redirection to work unless I enable https proxy mode on the WSA.

 

An ASA is doing the WCCP redirection for http/https traffic. It appears that http redirection works as expected.

 

Could somebody explain why http/https work in explicit proxy mode without https proxy enabled on the WSA and is there a way to get https rwccp redirection to work in Transparent mode without https proxy enabled.

 

thanks

 

Ian

5 REPLIES 5

Re: WSA ASA WCCP Redirection for HTTPS traffic

Retro

Re: WSA ASA WCCP Redirection for HTTPS traffic

f you can make logs or images available, it is easier to help you.

Beginner

Re: WSA ASA WCCP Redirection for HTTPS traffic

So this is the one thing I have struggled with the WSA/ASA WCCP pair for a while. I recently found out that in the ASA WCCP implementation HTTPS DNS traffic is not forwarded to the WSA. Without the DNS information redirected the WSA is unable to filter or see the traffic for HTTPS. So this limitation is actually the ASA, and impacts any ASA WCCP compatible proxy solution.

 

There may also be a way to change this default ASA behavior.

Collaborator

Re: WSA ASA WCCP Redirection for HTTPS traffic

Https dns traffic is still port 53, isnt it? Possibly just add that to the wccp and proxy config?
Highlighted
Beginner

Re: WSA ASA WCCP Redirection for HTTPS traffic

The following is adapted from deployment information from another cache solution. It begins to explain some of the limitations of Cisco's implementation of WCCP on the ASA's the first one also applies to ISRs. I was not able to find the same information on a Cisco site, but through my own testing and experience these limitations appear to be accurate. Especially for guest networks were the only information you can log/filter on is the DNS. These limitations appear to be by design, likely to allow other ASA features to function properly.

 

Limitations and Requirements of a WCCP Deployment With an ASA

  • The only topology that the adaptive security appliance (ASA) supports is when both the client and the cache engine are behind the same interface of the ASA and the cache engine can directly communicate with the client without going through the adaptive security appliance.
  • Due to the Cisco ASA limitations on redirecting DNS responses, the cache engine is not able to log all HTTPS traffic. The only traffic that can be logged is HTTPS traffic that is being inspected/monitored and the HTTPS URLs that are blocked.