Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

White list for live web chat program to work ?

We have just had a new ASA5510 installed and i'm trying to get a live web chat programe to run.

I have contacted the web chat providers and they have said i  need to whitelist:

*.providesupport.com

and

ds.ds2ps.net
ds.ds3ps.co.uk

Is this an easy thing to do ? We have aroudn 30 PC's that will run this ?

Where woudl i go to whitelist ?

Many thanks for your time.

Everyone's tags (2)
3 REPLIES

Re: White list for live web chat program to work ?

Hi Ian,

One question...

Are the computers behind the ASA able to access those sites right now?

The reason I ask is because the ASA normally don't whitelist or blacklist, but either permits or denies based on TCP/UDP ports.

So, the internal devices can access the Internet on port 80 or they cannot.

You can configure using the Modular Policy Framework, access to some webpages specifically.

Also I think that if the ASA has a CSC module, then you can whitelist some sites as well.

Is this what you're looking for?

Federico.

Cisco Employee

Re: White list for live web chat program to work ?

Please let us know if you have http inspection enabled on the module and if yes provide the "sh run class-m", "sh run policy0-map", "sh run service-policy".

Also check if you have a CSC module in your ASA.

I hope it helps.

PK

Re: White list for live web chat program to work ?

Hi Ian,

Can you get away with whitelisting just the IP addresses and/or websites that your users need to visit?  If so, you can probably use just your ASA.  Otherwise you're going to want a good web filtering/proxy solution.  Check out IronPort, Webwasher, Blue Coat, SurfControl, or even Squid (open source.)


Otherwise can also tie the ASA directly into a filtering product like WebSense, check out the ASA documentation.


When deploying a web filtering product you can either go "inline" or transparent by using WCCP redirection, but I'd suggest against it, since it breaks normal web browser behavior.  Better option is to use WPAD (web proxy auto-detect) and have your browsers point-to and/or be explicitly configured to use the proxy.


You can use combination of regex & HTTP inspection with ASA 7.2+ code to achieve this



regex YOUTUBE "youtube\.com"



policy-map type inspect http xyz

parameters

  protocol-violation action drop-connection log

match request header host regex YOUTUBE

  drop-connection log



policy-map global_policy

class inspection_default

.

.

< SNIP..>

.

.

  inspect http xyz


A good example can be found at


http://www.internetworkpro.org/wiki/ASA_and_PIX_using_http_inspection_to_filter_URLs_and_Hosts_in_HTTP


Another example at

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml

Please rate  if you find it informative.


HTH

Sachin Garg

575
Views
0
Helpful
3
Replies
CreatePlease to create content