Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1923
Views
0
Helpful
5
Replies

WSA ASA WCCP Redirection for HTTPS traffic

iwearing
Level 1
Level 1

‎03-15-2019 05:28 AM

My WSA appliances can service http/https traffic when configured in explicit forward mode (no WSA https proxy enabled).

However I am unable to get Transparent mode https redirection to work unless I enable https proxy mode on the WSA.

 

An ASA is doing the WCCP redirection for http/https traffic. It appears that http redirection works as expected.

 

Could somebody explain why http/https work in explicit proxy mode without https proxy enabled on the WSA and is there a way to get https rwccp redirection to work in Transparent mode without https proxy enabled.

 

thanks

 

Ian

Labels:
0 Helpful
5 Replies 5

Territorymine345
Level 1
Level 1

‎03-17-2019 04:55 PM

Retro

0 Helpful

Josiane de Barros Silva
Level 1
Level 1

‎04-01-2019 09:33 AM

f you can make logs or images available, it is easier to help you.

0 Helpful

Paul Cardelli
Level 1
Level 1

‎04-09-2019 04:19 PM

So this is the one thing I have struggled with the WSA/ASA WCCP pair for a while. I recently found out that in the ASA WCCP implementation HTTPS DNS traffic is not forwarded to the WSA. Without the DNS information redirected the WSA is unable to filter or see the traffic for HTTPS. So this limitation is actually the ASA, and impacts any ASA WCCP compatible proxy solution.

 

There may also be a way to change this default ASA behavior.

0 Helpful

Ken Stieers
VIP
VIP
In response to Paul Cardelli

‎04-09-2019 04:52 PM

Https dns traffic is still port 53, isnt it? Possibly just add that to the wccp and proxy config?
0 Helpful

Paul Cardelli
Level 1
Level 1
In response to Ken Stieers

‎04-10-2019 07:43 AM

The following is adapted from deployment information from another cache solution. It begins to explain some of the limitations of Cisco's implementation of WCCP on the ASA's the first one also applies to ISRs. I was not able to find the same information on a Cisco site, but through my own testing and experience these limitations appear to be accurate. Especially for guest networks were the only information you can log/filter on is the DNS. These limitations appear to be by design, likely to allow other ASA features to function properly.

 

Limitations and Requirements of a WCCP Deployment With an ASA

  • The only topology that the adaptive security appliance (ASA) supports is when both the client and the cache engine are behind the same interface of the ASA and the cache engine can directly communicate with the client without going through the adaptive security appliance.
  • Due to the Cisco ASA limitations on redirecting DNS responses, the cache engine is not able to log all HTTPS traffic. The only traffic that can be logged is HTTPS traffic that is being inspected/monitored and the HTTPS URLs that are blocked.
0 Helpful
Customers Also Viewed These Support Documents