Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cannot block https proxies ...

For some reason

I checked the firewall to verify 443 traffic was still being sent to the WSA
The decryption policy was set to Monitor.
Changed this to Decrypt.
Verified that it is set to Block in the Access Policies.

Policy Trace seems to not work for http ... everything comes back "Transaction permitted" with no webcat listed.
For https, testing a proxy site comes back:
URL Category: Proxies & Translators
Policy Match:
... (all global, which has Proxies set to Monitor now)
Request completed
Details: PASSTHRU_ADMIN

Tailing the grep does no good ... it's only showing when I attempt https, not https, but https traffic is indeed being forwarded from the same place https is.

Any help would be appreciated.

3 REPLIES
New Member

Re: Cannot block https proxies ...

Gawayne,

What is the WBRS score of the site that you are attempting to access? If the WBRS score is 6+ or greater, the HTTPS action will be Pass Through.

If the score is incorrectly high, we may need to report this to IronPort in order to have the score adjusted accordingly.

New Member

Re: Cannot block https proxies ...

I've scoured both your site and the WSA admin panel, but can't find anything referencing where to look up this information. I see where to look up the categorisation and Webroot score, but no WBRS ...

Although ... how does allowing a blocked category make sense, no matter what the web reputation is, though?

FYI: particular site in question is: www.kproxy.com (and it's sub servers -- server1. server2. server3. etc)

New Member

Re: Cannot block https proxies ...

Gawayne,

You can verify the WBRS score from the access logs. Here is a sample access log line:

Thu Dec 11 10:42:02 2008 22 10.1.1.29 TCP_MISS/200 66187 GET http://www.foxnews.com/ DOMAIN\user@AD DIRECT/www.foxnews.com text/html ALLOW_WBRS-WhiteList-DefaultRouting - News -

I've checked the score and the score is -0.70

The reason the WBRS score is relevant is that if an HTTPS site has a 6.0+ score it will be "passed through" the WSA. Any traffic that is passed through is essentially allowed through the WSA, since the stream will be encrypted between the client and the web server.

This behavior can be changed via the HTTPS WBRS policies.

I recommend opening up a support ticket, as this is probably going to require some further specific troubleshooting.

406
Views
0
Helpful
3
Replies