Cisco Cisco Web Security Appliance S360 User Guide
A-6
AsyncOS 8.5 for Cisco Web Security Appliances User Guide
Appendix A Troubleshooting
Logging Problems
HTTPS Request Failures
•
HTTPS with IP-based Surrogates and Transparent Requests
If the HTTPS request comes from a client that does not have authentication information available from
an earlier HTTP request, AsyncOS either fails the HTTPS request or decrypts the HTTPS request in
order to authenticate the user, depending on how you configure the HTTPS Proxy. Use the HTTPS
Transparent Request setting on the Security Services > HTTPS Proxy page to define this behavior. Refer
to the Enabling HTTPS Proxy section in Decryption Policies chapter.
an earlier HTTP request, AsyncOS either fails the HTTPS request or decrypts the HTTPS request in
order to authenticate the user, depending on how you configure the HTTPS Proxy. Use the HTTPS
Transparent Request setting on the Security Services > HTTPS Proxy page to define this behavior. Refer
to the Enabling HTTPS Proxy section in Decryption Policies chapter.
Bypassing Decryption for Particular Websites
Some HTTPS servers do not work as expected when traffic to them is decrypted by a proxy server, such
as the Web Proxy. For example, some websites and their associated web applications and applets, such
as high security banking sites, maintain a hard-coded list of trusted certificates instead of relying on the
operating system certificate store.
as the Web Proxy. For example, some websites and their associated web applications and applets, such
as high security banking sites, maintain a hard-coded list of trusted certificates instead of relying on the
operating system certificate store.
You can bypass decryption for HTTPS traffic to these servers to ensure all users can access these types
of sites.
of sites.
Step 1
Create a custom URL category that contains the affected HTTPS servers by configuring the Advanced
properties.
properties.
Step 2
Create a Decryption Policy that uses the custom URL category created in
as part of its
membership, and set the action for the custom URL category to Pass Through.
Alert: Problem with Security Certificate
Typically, the root certificate information you generate or upload in the appliance is not listed as a trusted
root certificate authority in client applications. By default in most web browsers, when users send
HTTPS requests, they will see a warning message from the client application informing them that there
is a problem with the website’s security certificate. Usually, the error message says that the website’s
security certificate was not issued by a trusted certificate authority or the website was certified by an
unknown authority. Some other client applications do not show this warning message to users nor allow
users to accept the unrecognized certificate.
root certificate authority in client applications. By default in most web browsers, when users send
HTTPS requests, they will see a warning message from the client application informing them that there
is a problem with the website’s security certificate. Usually, the error message says that the website’s
security certificate was not issued by a trusted certificate authority or the website was certified by an
unknown authority. Some other client applications do not show this warning message to users nor allow
users to accept the unrecognized certificate.
Note
Mozilla Firefox browsers: The certificate you upload must contain
“basicConstraints=CA:TRUE” to work with Mozilla Firefox browsers. This constraint allows
Firefox to recognize the root certificate as a trusted root authority.
“basicConstraints=CA:TRUE” to work with Mozilla Firefox browsers. This constraint allows
Firefox to recognize the root certificate as a trusted root authority.
Logging Problems
•