Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Ironport not forwarding HTTPS traffic

We have recently been trying to setup a BYOD wireless network and the wireless Clients that join this network have their traffic routed directly to an Ironport S370 (Ver7.1.4-053) as we do not want the BYOD users to have to configure their proxy settings.

We have created an Identity which matches the Subnet given to BYOD devices with no authentication and then an Access Policy for filtering, all this works as long as the traffic is HTTP, as soon as you try to access anything using HTTPS then the Ironport seems to drop the traffic as it never hits the firewall and the page cannot be displayed.

Any domained clients which have the Ironport address as their proxy work fine.

The Ironport is not set to bypass any addresses in bypass settings.

I am sure there must be a simple answer as to why HTTPS traffic is not being forwarded and any pointers as to why this is would be gretly appreciated.

Many thanks,

Neil.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Ironport not forwarding HTTPS traffic

Hi Igor and Neil,

As per AsyncOS 7.5 documentation, HTTPS proxy needs to be enabled to process HTTPS traffic in transparent mode.

following is the extract from the doco.

" When the Web Proxy is configured in transparent mode, you must enable the HTTPS Proxy if the appliance receives HTTPS traffic. When the HTTPS Proxy is disabled, the Web Proxy passes through explicit HTTPS connections and it drops transparently redirected HTTPS requests. The access logs contain the CONNECT requests for explicit HTTPS connections, but no entries exist for dropped transparently redirected HTTPS requests "

If you do not want to decrypt HTTPS traffic, you can enable HTTPS proxy in pass-through mode.

Thanks,
Wipula.

4 REPLIES
New Member

Ironport not forwarding HTTPS traffic

Hello Neil,

Is HTTPS Proxy enabled on your Ironport?

If so, which is the default Decryption Policy? Do you have any configured?

If you do not have HTTPS Proxy enabled, make sure that HTTPS is not one of the blocked protocols on your Access policy.

Also, using Policy Trace could help, showing what is going on in your Ironport.

Hope this helps to guide you to the solution.

Best regards,

Igor

New Member

Ironport not forwarding HTTPS traffic

Igor,

HTTPS Proxy is not enabled, I have just run a Policy trace and with an HTTPS address and it seems it does not match any policy but cannot see why it would not match the BYOD access policy.

The result is below

Policy Match

IronPort Data Security policy: None

Decryption policy: None

Routing policy: Global Routing Policy

Identity policy: BYOD

Access policy: None

The BYOD access policy is set to match the BYOD Identity, I have tried altering the Protocols & User Agents but this seems to have no effect.

Thanks,

Neil.

New Member

Ironport not forwarding HTTPS traffic

Then maybe somebody else can confirm that in order to be able to view HTTPS sites HTTPS Proxy should be enabled?

I know that HTTPS appears as a protocol to enable or block in the Access Policy, but if it's enabled, then maybe it's because HTTPS Proxy is a must to view HTTPS websites.

New Member

Ironport not forwarding HTTPS traffic

Hi Igor and Neil,

As per AsyncOS 7.5 documentation, HTTPS proxy needs to be enabled to process HTTPS traffic in transparent mode.

following is the extract from the doco.

" When the Web Proxy is configured in transparent mode, you must enable the HTTPS Proxy if the appliance receives HTTPS traffic. When the HTTPS Proxy is disabled, the Web Proxy passes through explicit HTTPS connections and it drops transparently redirected HTTPS requests. The access logs contain the CONNECT requests for explicit HTTPS connections, but no entries exist for dropped transparently redirected HTTPS requests "

If you do not want to decrypt HTTPS traffic, you can enable HTTPS proxy in pass-through mode.

Thanks,
Wipula.

2684
Views
0
Helpful
4
Replies