Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1267
Views
0
Helpful
2
Replies

WSA "whitelisting" traffic

hcombee
Level 1
Level 1

‎09-25-2018 05:19 AM

Situation:

We have got 2 different types of Identification profiles in place:

1. authenticate systems based on source IP address

2. authenticate all users based on AD membership

 

Then when have access policies.

1. permit systems to only access certain custom URL categories

2. permit users to access all but certain URL categories like gambling and adult entertainment.

 

We are not decrypting user traffic but we have got one decryption policy for all users that only decrypts and blocks these denied URL categories. We have done this because the users didn't get a warning page without this rule when they accessed a forbidden category.

 

The issue:

When a system accesses a website through http that is not in his URL category then he is blocked. When he accesses the same website trough https then his session is allowed by the decryption policies. 

This probably works as designed but now I have to make similar decryption policy for every access policy.

 

Does anyone know a smart way to achieve the same result without the double rules for http & https?

 

 

 

 

Labels:
0 Helpful
2 Replies 2

Handy Putra
Cisco Employee
Cisco Employee

‎09-26-2018 08:48 PM

Hi,

 

Are you decrypting most of your HTTPS traffic? if you are not actually decrypting HTTPS traffic, you can actually disable HTTPS proxy.

 

When disabling HTTPS proxy, the appliance still can process port 443 traffic however will not be decrypting it, instead it will create CONNECT tunnel to it and access policy (if you are including port 443 in the policy under CONNECT port) will still be able to apply policy to it such as block or monitor(to use the categorisation and reputation, etc) and if its block, WSA will still be able to display the block page.

 

However the above, will only works with explicit or forward mode or using WPAD/PAC file, if you are using transparent mode using PBR or WCCP and if you want to redirect port 443 to WSA, then HTTPS proxy will need to be enabled.

 

Regards

Handy Putra

0 Helpful

hcombee
Level 1
Level 1
In response to Handy Putra

‎09-26-2018 10:30 PM

@Handy Putra Thanks for the reply,

 

We started without the HTTPS proxy but we found out the end user notifications were not displayed when the user tried to access a blocked category using HTTPS. So we are decrypting only these categories just to display the notification.

And we are planning on migrating to transparent proxying using WCCP.

 

0 Helpful
Customers Also Viewed These Support Documents