Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
286
Views
0
Helpful
4
Replies

WSA https proxy issue

davbrown
Level 1
Level 1

‎09-10-2024 12:41 AM

Hi Team

We have acquired a Cisco WSA appliance for our organization and have successfully configured the HITP proxy, which is functioning as expected.

However, we are currently facing challenges with the implementation of the HTTPS proxy and decryption policy. We have followed all the documented procedures, but it seems the HTTPS proxy and decryption policy are not functioning as expected. Here is a summary of what we have done so far:

  • Enabled HTTPS decryption on the WSA.
  • Generated and signed a certificate by a Certificate Authority (CA) and uploaded the signed certificate.
  • Created a profile for specific computers.
  • Created a custom URI category for the URL(s).
  • Created a decryption policy, adding the custom URI category in the conditions (Advanced section).
  • Set the action in URI filtering to decrypt.
  • Created an access policy for the profile and custom URL category and configured the access policy.

We based our configuration on the official documentation provided, but we may have missed a crucial step or encountered a specific issue.

Has anyone encountered this issue before?

If so, could you please share your experiences or solutions?

Davis

Labels:
0 Helpful
4 Replies 4

Ken Stieers
VIP
VIP

‎09-10-2024 03:47 AM

What kind of certificate? From which certificate authority?

This is not a standard web cert that you buy from Digicert or other public CA.

It has to be a root or SubCA cert that can sign other certs. Typically this means it came from your internal CA (which your workstations are configured to trust)

You can also use the one the WSA generates. You just have to distribute that cert to your workstations as a trusted CA cert.



0 Helpful

amojarra
Cisco Employee
Cisco Employee

‎09-11-2024 12:29 AM

Hello @davbrown 

Hope you are doing fine, 

May I ask about : ... HTTPS proxy and decryption policy are not functioning as expected... 

by not working as expected, do you mean, WSA is not decrypting the traffic or the traffic that should be blocked are allowed and vise versa.

also regarding your Custom URL category, it is important to know what is your proxy deployment ( Explicit / Transparent ) and how you have configured your Custom URL CAT, lets say you have defined a regular expression and the deployment is transparent, so WSA can not read the URL unless decrypting it. 

I would say

[1] create a URL category for : example.com, .example.com and put it on the top 

[2] Create a Decryption policy just add this Custom URL CAT and set the action to Block then test . 

[3] in above Decryption policy set the Action to Decrypt and test, when the page is opened, you can check the page certificate to make sure WSA signs the certificate ( the certificate Issuer should be WSA while you are decrypting the traffic ) 

[4] also you can add an Access policy and set the action to Deny, and test again to make sure all your policies are OK 

 

Kindly consider the Identification profile and make sure you are hitting the correct Profile and correct policy

 

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++     If you find this answer helpful, please rate it as such    ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

0 Helpful

davbrown
Level 1
Level 1
In response to amojarra

‎10-03-2024 01:38 AM

Hi amojarra

Thanks for your reply. We believe the WSA isn't decrypting the traffic.
We've followed all the steps you mentioned, but when we run a Policy Trace, the request for the URI category goes through successfully, yet the Decryption Policy shows as "None.
Also, we haven't specified any regular expressions in the URL categories, just the URLs that should be decrypted.

Do you think this could be the issue?

0 Helpful

amojarra
Cisco Employee
Cisco Employee

‎10-03-2024 04:21 AM

Hi @davbrown 

 

It is nice to hearing from you, 

Thanks for the Update,

I would say it is best to not conclude due to Policy Trace, and please try to check in the browser and the page certificate, 

beside that, that will be so nice, to review the accesslogs : CLI > tail > choose Accesslogs > then start testing please.

 

If the issue still persist, please open a TAC case, we will be more than happy to join a call with you and check the configuration. 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++     If you find this answer helpful, please rate it as such    ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

0 Helpful
Customers Also Viewed These Support Documents