Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
New Member

WSA how to filter HTTPS urls without decrypting

 
Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Hi, When you create a

Hi,

 

When you create a Decryption policy, under the Section Identities you get an option to select "Guests(users failing authentication)". 

So here's what you can try:

- Create a Decryption policy for only guest users. 

- Under URL filtering select the categories you want to block for the unauthenticated users like Social Networking, Streaming Audio/Video etc.

- In the default policy, you can select the traffic to "Pass through" or "Monitor" so that for the other users, the traffic is not decrypted.

 

Please Note: For this to work properly, the option "Decrypt for Authentication" under HTTPS proxy settings must be enabled.

 

Please refer to Chapter 11 "Create Decryption Policies to Control HTTPS Traffic" for more information.

 

Regards,

Kush

4 REPLIES
Silver

In transparent mode HTTPS

In transparent mode HTTPS Proxy must be activated for HTTPS traffic.

If you don't want particular users to access certain https sites with out decryption , you can define those urls in custom url categories and under decryption policies :

1. Exclude that custom url category from global decryption policy

2. Create new decryption policy for those identities you want to block request and then under categories include that custom url. Default action you will get for this category is monitor .

3. If you leave it as such then it continues to evaluate the client request against other policy group control settings, such as web reputation filtering or you can use drop action if you do not want to  pass the connection request to the server. The appliance does not notify the user that it dropped the connection.

 

HTH

"Please rate useful posts"

New Member

Dear Poonam, Thank you for

Dear Poonam, Thank you for the feedback.

Yes, HTTPS Proxy is activated, and I have loaded a Cert from my Active Directory CA.

My requirements is simple:

- unauthenticated users: Block:  Social_Networking and Streaming_Video. This must block HTTP and HTTPS connections to FACEBOOK and YOUTUBE

- authenticated users in AD Group=MultiMedia:  Allow: Social_Networking and Streaming_Video. This must pass  HTTP and HTTPS without decryption 

I do not have any special Custom URLs, I want to use the WSA categories.

I have tried to create Decryption Policies and Access Policies, but it does not meet my requirement.

 

Can you think how to meet my requirement.

Martin

 

Bronze

Hi, When you create a

Hi,

 

When you create a Decryption policy, under the Section Identities you get an option to select "Guests(users failing authentication)". 

So here's what you can try:

- Create a Decryption policy for only guest users. 

- Under URL filtering select the categories you want to block for the unauthenticated users like Social Networking, Streaming Audio/Video etc.

- In the default policy, you can select the traffic to "Pass through" or "Monitor" so that for the other users, the traffic is not decrypted.

 

Please Note: For this to work properly, the option "Decrypt for Authentication" under HTTPS proxy settings must be enabled.

 

Please refer to Chapter 11 "Create Decryption Policies to Control HTTPS Traffic" for more information.

 

Regards,

Kush

New Member

Dear KushThanks for the reply

Dear Kush

Thanks for the reply.... you advise to start with a new Decryption Policy for Guest users. So I have now created several Decryption Policies, for Guests, Authenticated Users, VIP Users. The Guest URL Filtering is set to DROP many Categories and to Pass Through the rest, and the VIP Policy drops only the worse categories (Porn, etc) and Pass Through most. If I set the HTTPS Filter=Monitor, then it will decrypt.

I think it is working as I need it, but as a Guest User I can still bypass the Ironport block by entering http://www.youtube.com  into Internet Explorer v8 (XPsp3) - However, on the same PC with Firefox v28 https://www.youtube.com is blocked.  (IE8 detects the traffic as "SRCH" traffic to 74.125.21.95:443, Firefox detects category "VID" to 74.125.196.91:443)

I'll do some more testing, then feedback to the forum again...

Martin

PS. What I don't like about the solution: I need to setup two  sets of URL Category Filters: for the HTTPS proxy (under Decryption Policies) and for the HTTP proxy (under Access Policies)  - even though I want the same Group based filters for HTTP and HTTPS.  I did not expect to have to setup two separate sets of filters.

 

3934
Views
5
Helpful
4
Replies
CreatePlease login to create content