cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2666
Views
0
Helpful
6
Replies

WSA SSL Decryption doesn't change Web Site Certificate

dhr.tech1
Spotlight
Spotlight

Hi,

 

I am running Cisco WSA in my topology where we are trying to configure SSL decryption using decryption policy, when proxy is configured as transparent, using WCCPV2. However, in the logs and policy trace, we can see the traffic is hitting the right decryption policy, but the client still see the original website's certificate, not the proxy certificate. Is this expected or I need to perform some extra changes to get this working ?

 

Regards,

Dhruv

 

 

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

as per the document, this is your local IP you and bypassing.

 

if you have installed a certificate on your PC, if you do google.com, WSA  act as client WSA intern request using own cert as a client here.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi,

 

Thank you for the response. Attached is my topology. Client/User IP address: 192.168.111.20 and Web site: https//10.10.10.11 

So, they are definitely not part of same LAN. In the policy trace I can see the decryption policy is working to decrypt the traffic, but does WSA change the certificate and send it's own cert to the user ?

 

Regards,

Dhruv 

 

 

 

when i mentioned Local means (in side the network) i saw your policy bypass

 

I do not see any ISP have that IP address of RFC 1918 address as public domain ? but certificate bind to domain name, not to the IP addres, so its required FQDN.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi Balaji,

 

I will try to resolve it using the DNS name as well. I have hosted a DNS server on my Cisco IOS Router. Since this is a lab setup, I haven't enabled internet access. Will let you know.

 

Regards,

Dhruv 

Hi,

 

Still issue is not resolved. When I tried to access the website using the URL FQDN name, I still get the certificate from the website not from the proxy. Although from the access logs it looks like proxy is performing SSL decryption. This behaviour exists for both explicit and transparent one.

I am now sure Proxy, unlike Bluecoats doesn't change the certificate, but not sure why Cisco ask us to install the trusted CA into user's Personal Trusted Root CA then ?

 

Can anyone confirm if you tested in your setup if you could see the proxy's cert in the website's response ?

============================================================================

Explicit:

1487080501.105 297 192.168.111.23 TCP_CLIENT_REFRESH_MISS_SSL/200 39 CONNECT tun nel://www.dhruv.com:443/ - DIRECT/www.dhruv.com - DECRYPT_CUSTOMCAT_7-babi_ssl_p olicy-corpusers-NONE-NONE-NONE-DefaultGroup <C_SSLB,-,-,"-",-,-,-,-,"-",-,-,-,"- ",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",1.05,0,-,"-","-",-,"-",-,-,"-","-" > -

Transparent: 
1487080501.457 352 192.168.111.23 TCP_MISS_SSL/404 229 GET https://www.dhruv.com :443/favicon.ico - DIRECT/www.dhruv.com text/plain DEFAULT_CASE_12-My_Corp_Polic y-corpusers-NONE-NONE-NONE-DefaultGroup <nc,ns,0,"-",0,0,0,1,"-",-,-,-,"-",0,262 686,"-","-",-,-,nc,nc,"Unknown","-","Unknown","Unknown","-","-",5.20,0,-,"Unknow n","-",-,"-",-,-,"-","-"> -

=============================================================

Regards,

Dhruv 

in the Issuer Name you should be able to see your WSA's Certificate  

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: