Re: WSA SSL Decryption doesn't change Web Site Certificate

dhr.tech1 · ‎11-25-2021

Hi,

I am running Cisco WSA in my topology where we are trying to configure SSL decryption using decryption policy, when proxy is configured as transparent, using WCCPV2. However, in the logs and policy trace, we can see the traffic is hitting the right decryption policy, but the client still see the original website's certificate, not the proxy certificate. Is this expected or I need to perform some extra changes to get this working ?

Regards,

Dhruv

balaji.bandi · ‎11-25-2021

as per the document, this is your local IP you and bypassing.

if you have installed a certificate on your PC, if you do google.com, WSA act as client WSA intern request using own cert as a client here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

dhr.tech1 · ‎11-26-2021

Hi,

Thank you for the response. Attached is my topology. Client/User IP address: 192.168.111.20 and Web site: https//10.10.10.11

So, they are definitely not part of same LAN. In the policy trace I can see the decryption policy is working to decrypt the traffic, but does WSA change the certificate and send it's own cert to the user ?

Regards,

Dhruv

balaji.bandi · ‎11-26-2021

when i mentioned Local means (in side the network) i saw your policy bypass

I do not see any ISP have that IP address of RFC 1918 address as public domain ? but certificate bind to domain name, not to the IP addres, so its required FQDN.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

dhr.tech1 · ‎11-26-2021

Hi Balaji,

I will try to resolve it using the DNS name as well. I have hosted a DNS server on my Cisco IOS Router. Since this is a lab setup, I haven't enabled internet access. Will let you know.

Regards,

Dhruv

dhr.tech1 · ‎11-27-2021

Hi,

Still issue is not resolved. When I tried to access the website using the URL FQDN name, I still get the certificate from the website not from the proxy. Although from the access logs it looks like proxy is performing SSL decryption. This behaviour exists for both explicit and transparent one.

I am now sure Proxy, unlike Bluecoats doesn't change the certificate, but not sure why Cisco ask us to install the trusted CA into user's Personal Trusted Root CA then ?

Can anyone confirm if you tested in your setup if you could see the proxy's cert in the website's response ?

============================================================================

Explicit:

1487080501.105 297 192.168.111.23 TCP_CLIENT_REFRESH_MISS_SSL/200 39 CONNECT tun nel://www.dhruv.com:443/ - DIRECT/www.dhruv.com - DECRYPT_CUSTOMCAT_7-babi_ssl_p olicy-corpusers-NONE-NONE-NONE-DefaultGroup <C_SSLB,-,-,"-",-,-,-,-,"-",-,-,-,"- ",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",1.05,0,-,"-","-",-,"-",-,-,"-","-" > -

Transparent:
1487080501.457 352 192.168.111.23 TCP_MISS_SSL/404 229 GET https://www.dhruv.com :443/favicon.ico - DIRECT/www.dhruv.com text/plain DEFAULT_CASE_12-My_Corp_Polic y-corpusers-NONE-NONE-NONE-DefaultGroup <nc,ns,0,"-",0,0,0,1,"-",-,-,-,"-",0,262 686,"-","-",-,-,nc,nc,"Unknown","-","Unknown","Unknown","-","-",5.20,0,-,"Unknow n","-",-,"-",-,-,"-","-"> -

=============================================================

Regards,

Dhruv

amojarra · ‎05-15-2022

in the Issuer Name you should be able to see your WSA's Certificate

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++