cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
663
Views
0
Helpful
3
Replies

HTTPS Proxy errors

mbilgrav
Level 3
Level 3

I run a setup with SSL unwrapping - aka HTTPS proxy
I am starting to see sites giving warnings, like those:

setup is WSA S360 version 7.7.0-761 latest and PAC file for settings to clients
This PAC file is GPO'ed to windows clients. Cert from Internal PKI are imported on WSA, and works on many many sites

https://registration.preemptive.com
- Uses a GoDaddy Cert

https://support.logitech.com/
- Using a DigiCert Global

I see low encryption (128 bits) in a standalone outside PC, in both URLs, and I see warning in chrome 

But most of all I see the WSA giveing warnings in client browser, and I have some tools that uses proxy-settings within the App, but theses apps just plain fails.
I guess they cant handle the warnings, and then just exsist ...

I have a category/policy to bypass, but I really just want the unwrapping to work, and not bypass.

What can be done?

1 Accepted Solution

Accepted Solutions

The WSA HTTPS proxy sometimes fails on intermediate certs.  If you upload

On a box that isn't behind the WSA (eg seperate net, in bypass, etc) go to the web pages that you're having this issue with.  Click on the "lock" icon in the address box, and download each of the certificates.

Then on the WSA, to go Security Services/HTTPS Proxy.  Click on the "Managed Trusted Root Certificates" near the bottom.  Import the certs you've downloaded... Usually you can just do the intermediate ones, and not the roots as the WSA already has them (eg. "On Cisco List" = yes).  For some reason I had to keep the MS 2011 one...

Here's what mine looks like.

 

View solution in original post

3 Replies 3

The WSA HTTPS proxy sometimes fails on intermediate certs.  If you upload

On a box that isn't behind the WSA (eg seperate net, in bypass, etc) go to the web pages that you're having this issue with.  Click on the "lock" icon in the address box, and download each of the certificates.

Then on the WSA, to go Security Services/HTTPS Proxy.  Click on the "Managed Trusted Root Certificates" near the bottom.  Import the certs you've downloaded... Usually you can just do the intermediate ones, and not the roots as the WSA already has them (eg. "On Cisco List" = yes).  For some reason I had to keep the MS 2011 one...

Here's what mine looks like.

 

mbilgrav
Level 3
Level 3

Hi,

 

Your are a lifesaver !

This just did it ...

So in my setup, with many WSA centrally managed by M600 boxes, do I then have to import this cert into each one on a one-by-one basis ??

If this is the case the bypass option can sometimes be more tempting to get stuff to work fast ...

In my opinion, bypass is BAD,BAD, BAD because nothing gets looked at when its in bypass, no AV, no AVC, nothing...

I don't have an M box, so I'm not sure if you can push the certs via the config...  You'll have to dig into that yourself.

 

Ken

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: