Problems with accessing websites through IronPort S370
I have a new IronPort S370 set up in explicit forward (proxy) mode.
The system is set up to use NTLM authentication, has an account on the domain, and is able to see users, groups, etc. in the domain. It tests out correctly.
So I built a new access policy that uses the domain realm and placed this policy above the default global policy on the IronPort. I associated a URL filtering policy with it, and put in a handful of websites to test. However, I am running into issues.
When I access some sites, I can get to them. When I access a site like google.com, I get a message that I have to log in (page cannot be displayed).
Looking at the logs, it looks like the IronPort is tunneling all the http traffic, and that 443 is hitting google.com
Is this correct? Whan can I do to change/fix this?
The problem seems to be that the Global Access Policy overrides a specific policy I create.
If I create a group, use domain authentication (realm), assign a custom URL category to this group within an access policy (permitting access to certain URLs), and within the global policy block all categories by default, everything gets blocked.
In policy trace, I see the user is found in the directory, the website IP resolves, but the access policy I created is never looked at: only the global policy.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...