Cisco Cisco Web Security Appliance S160 User Guide
16-14
Cisco IronPort AsyncOS 7.5 for Web User Guide
Chapter 16 Notifying End Users
End-User Acknowledgement Page
•
When a user is tracked using a session cookie, the Web Proxy displays the end-user
acknowledgement page again if the user closes and then reopens their web browser or opens a
second web browser application.
acknowledgement page again if the user closes and then reopens their web browser or opens a
second web browser application.
•
Using a session cookie to track users when the client accesses HTTPS sites or FTP servers using
FTP over HTTP does not work. For more information on working around these issues, see
FTP over HTTP does not work. For more information on working around these issues, see
•
When the appliance is deployed in explicit forward mode and a user goes to an HTTPS site, the
end-user acknowledgement page includes only the domain name in the link that redirects the user to
the originally requested URL. If the originally requested URL contains text after the domain name,
that text is truncated.
end-user acknowledgement page includes only the domain name in the link that redirects the user to
the originally requested URL. If the originally requested URL contains text after the domain name,
that text is truncated.
•
When the end-user acknowledgement page is displayed to a user, the access log entry for that
transaction shows OTHER as the ACL decision tag. This is because the originally requested URL
was blocked, and instead the user was shown the end-user acknowledgement page.
transaction shows OTHER as the ACL decision tag. This is because the originally requested URL
was blocked, and instead the user was shown the end-user acknowledgement page.
Accessing HTTPS and FTP Sites with the End-User Acknowledgement Page
The end-user acknowledgement page works because it displays an HTML page to the end user that forces
them to click an acceptable use policy agreement. After users click the link, the Web Proxy redirects
clients to the originally requested website. In keeps track of when users accepted the end-user
acknowledgement page using a surrogate (either by IP address or web browser session cookie) if no
username is available for the user.
them to click an acceptable use policy agreement. After users click the link, the Web Proxy redirects
clients to the originally requested website. In keeps track of when users accepted the end-user
acknowledgement page using a surrogate (either by IP address or web browser session cookie) if no
username is available for the user.
However, using a session cookie to track users when the client accesses HTTPS sites or FTP servers
using FTP over HTTP does not work.
using FTP over HTTP does not work.
•
HTTPS. The Web Proxy tracks whether the user has acknowledged the end-user acknowledgement
page with a cookie, but it cannot obtain the cookie unless it decrypts the transaction. You can choose
to either bypass (pass through) or drop HTTPS requests when the end-user acknowledgement page
is enabled and tracks users using session cookies. Do this using the
page with a cookie, but it cannot obtain the cookie unless it decrypts the transaction. You can choose
to either bypass (pass through) or drop HTTPS requests when the end-user acknowledgement page
is enabled and tracks users using session cookies. Do this using the
advancedproxyconfig > EUN
CLI command, and choose bypass for the “Action to be taken for HTTPS requests with Session
based EUA (“bypass” or “drop”).” command.
based EUA (“bypass” or “drop”).” command.
•
FTP over HTTP. Web browsers never send cookies for FTP over HTTP transactions, so the Web
Proxy cannot obtain the cookie. To work around this, you can exempt FTP over HTTP transactions
from requiring the end-user acknowledgement page. Do this by creating a custom URL category
using “ftp://” as the regular expression (without the quotes) and defining and Identity policy that
exempts users from the end-user acknowledgement page for this custom URL category.
Proxy cannot obtain the cookie. To work around this, you can exempt FTP over HTTP transactions
from requiring the end-user acknowledgement page. Do this by creating a custom URL category
using “ftp://” as the regular expression (without the quotes) and defining and Identity policy that
exempts users from the end-user acknowledgement page for this custom URL category.
Configuring the End-User Acknowledgement Page
You can enable and configure the end-user acknowledgement page in the web interface or the command
line interface. However, when you configure the end-user acknowledgement page in the web interface,
you can include a custom message that appears on each page. You can include some simple HTML tags
in the custom message, such as font color and size.
line interface. However, when you configure the end-user acknowledgement page in the web interface,
you can include a custom message that appears on each page. You can include some simple HTML tags
in the custom message, such as font color and size.
In the CLI, use
advancedproxyconfig > eun
.
To configure the end-user acknowledgement page in the web interface:
Step 1
Navigate to the Security Services > End-User Notification page.
Step 2
Click Edit Settings.