Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

How to block Open Proxy within WSA

I test WSA with tools (from: and found that WSA is open proxy which mean it's vurnerable to be used by spammer to send junk mail.


>>> (smtp dialog with probe email)
<<< 220 ESMTP\r\n
*** ALERT - open proxy detected
Mail message has been sent to <yahya>
Test complete - identified open proxy

How to block this Open Proxy?


Cisco Employee

Re: How to block Open Proxy within WSA

Sounds like you allow HTTP connect to port 25 correct? That means somebody can use telnet to throw a
CONNECT at the proxy and then talk SMTP through the so created HTTP Tunnel.

You can specify what ports are supposed to be 'open' in that sense in the Web Access Policies. There you have the field 'Allow CONNECT on Ports:'

It is important here that a blank field used to result in a 'allow all' in Versions pre 5.2.0. As this was confusing we changed the behavior and as of AsyncOS 5.2 you'll have to enter 1-65536 to allow all ports while leaving the field blank blocks all ports.

Please let me know if I misunderstood your question - some more info would be handy then. Thanks a lot.


Cisco Employee

Re: How to block Open Proxy within WSA


This information is now published in the IronPort Knowledgebase:


New Member

Re: How to block Open Proxy within WSA


I've just installed an S650 for an ISP for testing and it seems that it's acting as an open proxy.

Currently, it's in explicit proxy for testing purposes on port 8080.
Apart from allowing the specific ports to connect, can we specify a specific range of IP(which is internal for the ISP) , which can use the proxy?

We are running version 5.1.2 for Web build 001


New Member

Re: How to block Open Proxy within WSA


You would need to create a policy group that applies to the subnets you want to be able to proxy. This is your allowed access group.

Change the default policy so that it denies everything (Under 'Applications', just check the boxes to deny HTTP, HTTPS, FTP).

CreatePlease to create content