Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Community Member

Question to experts: how does the WSA / Ironport handle webmail policies?

Hi there,

 

propably a very simple question, yet I don't have a WSA for my labs so here here is the situation:

I'd like to block some users from downloading attachements on the webmail portals (like yahoo and gmail), yet allowing them to send normal text-only emails. From what I know of Ironports and WSA data sheets this is something those appliances are perfectly capable of.

My question is: could someone explain to me how they handle those webmail-policies since of  most webmailer portals are operating on https?

I quite deeper insight from someone with hands-on experience would be lovely, since that has become a question of data integrity on my end ;-)

Thank you very much!

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

To catch the HTTPS traffic,

To catch the HTTPS traffic, you implement the the HTTPS proxy (its on the box).   Since its a proxy, there are 2 ssl conversations happening, one from the WSA to the web site, and one between the client and the WSA.

Attached is a Cisco doc that shows you how to set it up.

 

The "hard part" is deciding how you'll do the cert on the client side.  You can either take the WSA's demo cert and get all of your clients to trust it.  Or get a cert all of your clients trust and put it on the WSA (easy way to do this is with a MS Enterprise Cert server).  There are other discussions in this forum about that...

 

 

3 REPLIES

To catch the HTTPS traffic,

To catch the HTTPS traffic, you implement the the HTTPS proxy (its on the box).   Since its a proxy, there are 2 ssl conversations happening, one from the WSA to the web site, and one between the client and the WSA.

Attached is a Cisco doc that shows you how to set it up.

 

The "hard part" is deciding how you'll do the cert on the client side.  You can either take the WSA's demo cert and get all of your clients to trust it.  Or get a cert all of your clients trust and put it on the WSA (easy way to do this is with a MS Enterprise Cert server).  There are other discussions in this forum about that...

 

 

Community Member

thank you very much, that PDF

thank you very much, that PDF helped quite a lot!

To catch the HTTPS traffic,

To catch the HTTPS traffic, you implement the the HTTPS proxy (its on the box). Since its a proxy, there are 2 ssl conversations happening, one from the WSA to the web site, and one between the client and the WSA.

Attached is a Cisco doc that shows you how to set it up.

 

The "hard part" is deciding how you'll do the cert on the client side. You can either take the WSA's demo cert and get all of your clients to trust it. Or get a cert all of your clients trust and put it on the WSA (easy way to do this is with a MS Enterprise Cert server). There are other discussions in this forum about that...

135
Views
0
Helpful
3
Replies
CreatePlease to create content