Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

HTTPS Proxy errors

I run a setup with SSL unwrapping - aka HTTPS proxy
I am starting to see sites giving warnings, like those:

setup is WSA S360 version 7.7.0-761 latest and PAC file for settings to clients
This PAC file is GPO'ed to windows clients. Cert from Internal PKI are imported on WSA, and works on many many sites

https://registration.preemptive.com
- Uses a GoDaddy Cert

https://support.logitech.com/
- Using a DigiCert Global

I see low encryption (128 bits) in a standalone outside PC, in both URLs, and I see warning in chrome 

But most of all I see the WSA giveing warnings in client browser, and I have some tools that uses proxy-settings within the App, but theses apps just plain fails.
I guess they cant handle the warnings, and then just exsist ...

I have a category/policy to bypass, but I really just want the unwrapping to work, and not bypass.

What can be done?

1 ACCEPTED SOLUTION

Accepted Solutions

The WSA HTTPS proxy sometimes

The WSA HTTPS proxy sometimes fails on intermediate certs.  If you upload

On a box that isn't behind the WSA (eg seperate net, in bypass, etc) go to the web pages that you're having this issue with.  Click on the "lock" icon in the address box, and download each of the certificates.

Then on the WSA, to go Security Services/HTTPS Proxy.  Click on the "Managed Trusted Root Certificates" near the bottom.  Import the certs you've downloaded... Usually you can just do the intermediate ones, and not the roots as the WSA already has them (eg. "On Cisco List" = yes).  For some reason I had to keep the MS 2011 one...

Here's what mine looks like.

 

3 REPLIES

The WSA HTTPS proxy sometimes

The WSA HTTPS proxy sometimes fails on intermediate certs.  If you upload

On a box that isn't behind the WSA (eg seperate net, in bypass, etc) go to the web pages that you're having this issue with.  Click on the "lock" icon in the address box, and download each of the certificates.

Then on the WSA, to go Security Services/HTTPS Proxy.  Click on the "Managed Trusted Root Certificates" near the bottom.  Import the certs you've downloaded... Usually you can just do the intermediate ones, and not the roots as the WSA already has them (eg. "On Cisco List" = yes).  For some reason I had to keep the MS 2011 one...

Here's what mine looks like.

 

New Member

Hi, Your are a lifesaver

Hi,

 

Your are a lifesaver !

This just did it ...

So in my setup, with many WSA centrally managed by M600 boxes, do I then have to import this cert into each one on a one-by-one basis ??

If this is the case the bypass option can sometimes be more tempting to get stuff to work fast ...

In my opinion, bypass is BAD

In my opinion, bypass is BAD,BAD, BAD because nothing gets looked at when its in bypass, no AV, no AVC, nothing...

I don't have an M box, so I'm not sure if you can push the certs via the config...  You'll have to dig into that yourself.

 

Ken

 

161
Views
0
Helpful
3
Replies