In transparent mode HTTPS Proxy must be activated for HTTPS traffic.
If you don't want particular users to access certain https sites with out decryption , you can define those urls in custom url categories and under decryption policies :
1. Exclude that custom url category from global decryption policy
2. Create new decryption policy for those identities you want to block request and then under categories include that custom url. Default action you will get for this category is monitor .
3. If you leave it as such then it continues to evaluate the client request against other policy group control settings, such as web reputation filtering or you can use drop action if you do not want to pass the connection request to the server. The appliance does not notify the user that it dropped the connection.
Thanks for the reply.... you advise to start with a new Decryption Policy for Guest users. So I have now created several Decryption Policies, for Guests, Authenticated Users, VIP Users. The Guest URL Filtering is set to DROP many Categories and to Pass Through the rest, and the VIP Policy drops only the worse categories (Porn, etc) and Pass Through most. If I set the HTTPS Filter=Monitor, then it will decrypt.
I think it is working as I need it, but as a Guest User I can still bypass the Ironport block by entering http://www.youtube.com into Internet Explorer v8 (XPsp3) - However, on the same PC with Firefox v28 https://www.youtube.com is blocked. (IE8 detects the traffic as "SRCH" traffic to 126.96.36.199:443, Firefox detects category "VID" to 188.8.131.52:443)
I'll do some more testing, then feedback to the forum again...
PS. What I don't like about the solution: I need to setup two sets of URL Category Filters: for the HTTPS proxy (under Decryption Policies) and for the HTTP proxy (under Access Policies) - even though I want the same Group based filters for HTTP and HTTPS. I did not expect to have to setup two separate sets of filters.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :