Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

sce2000: sce-url-database

Why http url flavors do not work with https protocol ? How do i control https webs without having VAS platform ?

Appreciate quick discution,

Mihails

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: sce2000: sce-url-database

Hi Mihails,

In a HTTPS transaction, the GET request is encrypted, like the rest of the data payload, so it is not possible for the SCE to identify which URL is requested in an HTTPS transaction.

The solution would be to use an SSL proxy that would terminate the SSL connection from the client, send the HTTP traffic through the SCE and open an other SSL connection to the web server.  In this case, the clients would need to install the CA certificate on their browser otherwise they would receive alarms from their browser for every HTTPS page that they would browse, as the certificate wouldn't match the domain.  Maybe the SSL module for the Cat6k can do that, I am not a specialist in that area...

With the SCE, the only thing you can do about HTTPS traffic is to work with zones and control access per IP address.

Tom

8 REPLIES
Cisco Employee

Re: sce2000: sce-url-database

Hi Mihails,

In a HTTPS transaction, the GET request is encrypted, like the rest of the data payload, so it is not possible for the SCE to identify which URL is requested in an HTTPS transaction.

The solution would be to use an SSL proxy that would terminate the SSL connection from the client, send the HTTP traffic through the SCE and open an other SSL connection to the web server.  In this case, the clients would need to install the CA certificate on their browser otherwise they would receive alarms from their browser for every HTTPS page that they would browse, as the certificate wouldn't match the domain.  Maybe the SSL module for the Cat6k can do that, I am not a specialist in that area...

With the SCE, the only thing you can do about HTTPS traffic is to work with zones and control access per IP address.

Tom

New Member

Re: sce2000: sce-url-database

Thank you Tom,

After creating this thread i have turned my brain on and thought of it by myself. Sometimes it just helps to create a threat to figure something out

New Member

Re: sce2000: sce-url-database

Funny, i was dealing with the same problem today. The solution you mentioned based solely on the SCE doesn't seem scalable, right ? For example, if you want to block a site, for example, one of those social sites we know, we would need a lot of IP addresses in that filter. And we have no guarantess that the IP's will be the same in the future. By the way, i'm very new to SCE and i was asked to blocked some http sites. I didn't use the url-database. I used instead a new service under http-browsing and then i created a new flavor with the sites i want to block. Finally i added the rule to the default package. Is this a good way of configuring it ? Or there is another option ? I've downloaded both the SCE and SCA-BB guides and i don't see to much examples there. How do you guys learn this product ? Assume i need the basics for enterprise setup, without subscriber manager.

Thanks.

Cisco Employee

Re: sce2000: sce-url-database

Hi Antonio,

Blocking based on IP is indeed not very scalable, but I don't see possible other options than the ones I gave.

Your way to work with flavors is indeed a good way to proceed, for http.

I have personally mainly learned it by practicing and being lucky to have access to other experienced engineers.

Don't hesitate to open other threads in the forum if you have specific configuration assistance questions.  For more elaborate assistance, either contact your account manager or SE or open a service request with TAC.

Cheers,

Tom

New Member

Re: sce2000: sce-url-database

Thanks Tom for your comments. They are much appreciated.

Regards,

Antonio Soares

CCIE #18473 (R&S/SP)

Customer Support Engineer

T: +351 214231472

M: +351 963931212

e-mail: antonio.soares@convex.pt

web: www.convex.pt

New Member

Re: sce2000: sce-url-database

The solution you mentioned based solely on the SCE doesn't seem scalable, right ? For example, if you want to block a site, for example, one of those social sites we know, we would need a lot of IP addresses in that filter. And we have no guarantess that the IP's will be the same in the future

-- It is true, cant do much about it. I just stuck with the zones when dealing with https.

By the way, i'm very new to SCE and i was asked to blocked some http sites. I didn't use the url-database. I used instead a new service under http-browsing and then i created a new flavor with the sites i want to block. Finally i added the rule to the default package. Is this a good way of configuring it ? Or there is another option ?

-- url-database is pretty much the same thing as http flavours tab in your sca-bb. But i think url-database has more security features, thou i didnt find a way how to use it in practice.

I've downloaded both the SCE and SCA-BB guides and i don't see to much examples there. How do you guys learn this product ? Assume i need the basics for enterprise setup, without subscriber manager.

-- Depends on what your are going to use that device with. If you want to share traffic activity reports with your boss you need to get to know Collection Manager/types of rdrs. Sce pretty strong with shaping, this might be pretty tricky stuff but its possible to handle it by reading docs(personaly i went to London to get some training, witch was not that great and informative after all ). If you want to become guru at traffic control i guess it just practice/practice/practice. Change services, watch reporter, read sca-bb UG lots of things are covered there.

Good luck m8!

p.s. dont forget to update protocol packs as they comeout.

New Member

Re: sce2000: sce-url-database

http://www.convex.pt/Hi Mihails,

I agree that practice is the way to learn it. I'm more an hands-on guy and i don't like to much reading theory   But the only SCE i have access to is the production one. Doesn't seem good idea to use it for my learning  You said that you went for training: was it the SCA-BB or SCA-D courses ?

Thanks.

Antonio Soares
CCIE #18473 (R&S/SP)
Customer Support Engineer
T: +351 214231472
M: +351 963931212
e-mail: antonio.soares@convex.pt
web: www.convex.pt

New Member

Re: sce2000: sce-url-database

Sca-bb course is mainly for sce operators. It covers basics of CM/SM and mostly about sca-bb console, witch is obvious by the name of the course.

I went to sca-d(stands for deployment). The cource is longer by one or two days and it covers the whole process of plan/deploy/install/configure sce/sm/cm, like you go to site and make everything from scratch as the customers wants. Course also has a big chunk of info about sca-bb,how to use shaping correctly and all that good stuff, but because i had a device for about a month to play /w it before putting it in production i didnt learn much from this course. Of cause the most valuable part was a questions-answers. But if you are totally new to sce u should defenetly try to get sent to one of these.

1565
Views
10
Helpful
8
Replies