Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
New Member

Dropbox-client behind WSA in WCCP-mode?

Hello

I have just implemented an Ironport WSA at a customer site. It works as expected except for one thing: dropbox clients say that they "cannot establish a secure connection" and wont connect/sync.

The clients are behind a Cisco ASA which WCCP redirects outbound web-traffic (both http and https) to the WSA on inside. The WSA does https decryption and all client trusts the root cert that the WSA uses.

Browsing to https sites in general works fine, and browsing to www.dropbox.com also works without any problem.

Any idea on

6 REPLIES
New Member

Dropbox-client behind WSA in WCCP-mode?

Did you already check the access logs in GUI or grep the logs in real time? How about a capture from the WSA?

Re:Dropbox-client behind WSA in WCCP-mode?

What platform are the clients using? Are these ipads or windows OS also are they using ie or ff to access the dropbox site?


Sent from Cisco Technical Support Android App

Tarik Admani *Please rate helpful posts*
Cisco Employee

Re:Dropbox-client behind WSA in WCCP-mode?

The clients trusts the WSA but that doesn't mean that Dropbox trusts the WSA. It would depend on what trust store the dropbox application uses whether the application trusts the certificate or not. Similar to Firefox having it's own trust store that is independant of the operating systems that I.E. uses. I don't have an answer at this time as I haven't investigated the problem but this might give you some place to look.

New Member

Dropbox-client behind WSA in WCCP-mode?

I've set the category Online Storage and backup to Pass Through in the decryption policy. Just Works fine.

Dropbox-client behind WSA in WCCP-mode?

If you do not wish to allow the entire Online Storage category then you can follow these steps to allow dropbox;

Symptoms:

Dropbox desktop application fails to connect to dropbox.com when traffic is passing through the WSA. This is applicable to both explicit and transparent

Solution:

Dropbox is a free storage service that lets you bring your photos, docs, and videos anywhere and share them.

1. Grep the access logs on the WSA to obtain the IP address of the Dropbox server the network is connecting to dropbox.com.

2. Lookup the subnet for Dropbox.com by using the following URL: https://www.arin.net

You will need to register to the website in order to look up the IP address. Once you have registered and logged in, paste the IP address from the access logs in Step 1 into the search field labeled SEARCH WHOISRWS. This will bring up the CIDR(subnet) which belongs to dropbox. Currently the defined CIDR is 199.47.216.0/22.

3. Create a custom URL category and add the IP subnet, dropbox.com, .dropbox.com to the custom url category. Log into your WSA (GUI)

  • Go to Web Security Manager -> Custom URL Categories
  • Click Add Custom Category and under Sites mention CIDR for Dropbox, dropbox.com, .dropbox.com
  • Submit and Commit the changes

4. Associate the Custom URL category thus created with a new or an existing Identity that has authentication turned off.

5. Associate the above Identity in step 4 with a new or existing Access policy and set the custom URL category for Drop box to "Allow".

Hope this helps.

Best Regards,

Michael Hautekeete

Customer Support Engineer

Cisco Content Security - Web Security Appliance

http://www.cisco.com/en/US/products/ps11169/serv_group_home.html

https://supportforums.cisco.com/community/netpro/security/web

https://supportforums.cisco.com/community/feeds?community=2091

Dropbox-client behind WSA in WCCP-mode?

This article mentions the allow for HTTP, you will also need to add the custom URL category to your decryption policy and set it to pass-through to allow the HTTPS connections to dropbox.com

Best Regards,

Michael Hautekeete

Customer Support Engineer

Cisco Content Security - Web Security Appliance

http://www.cisco.com/en/US/products/ps11169/serv_group_home.html

https://supportforums.cisco.com/community/netpro/security/web

https://supportforums.cisco.com/community/feeds?community=2091

1118
Views
0
Helpful
6
Replies