Cisco Cisco Web Security Appliance S690 User Guide
A-7
AsyncOS 9.2 for Cisco Web Security Appliances User Guide
Appendix A Troubleshooting
HTTPS/Decryption/Certificate Problems
For an HTTPS page passed through via the default category, the Client Hello is sent before receipt of a
Client Hello from the requestor, and the connection fails. For an HTTPS page passed through via a
custom URL category, the Client Hello is sent after the Client Hello is received from the requestor, and
the connection is successful.
Client Hello from the requestor, and the connection fails. For an HTTPS page passed through via a
custom URL category, the Client Hello is sent after the Client Hello is received from the requestor, and
the connection is successful.
As a remedy, you can create a custom URL category with a pass-through action for SSL 3.0-only-compatible
Web pages.
Web pages.
Bypassing Decryption for Particular Websites
Some HTTPS servers do not work as expected when traffic to them is decrypted by a proxy server, such
as the Web Proxy. For example, some websites and their associated web applications and applets, such
as high security banking sites, maintain a hard-coded list of trusted certificates instead of relying on the
operating system certificate store.
as the Web Proxy. For example, some websites and their associated web applications and applets, such
as high security banking sites, maintain a hard-coded list of trusted certificates instead of relying on the
operating system certificate store.
You can bypass decryption for HTTPS traffic to these servers to ensure all users can access these types
of sites.
of sites.
Step 1
Create a custom URL category that contains the affected HTTPS servers by configuring the Advanced
properties.
properties.
Step 2
Create a Decryption Policy that uses the custom URL category created in
Step 1
as part of its
membership, and set the action for the custom URL category to Pass Through.
Conditions and Restrictions for Exceptions to Blocking for Embedded and
Referred Content
Referred Content
Referrer-based exceptions are supported only in Access policies. To use this feature with HTTPS traffic,
before defining exceptions in Access policies, you must configure HTTPS decryption of the URL
Categories that you will select for exception. However, this feature will not work under certain conditions:
before defining exceptions in Access policies, you must configure HTTPS decryption of the URL
Categories that you will select for exception. However, this feature will not work under certain conditions:
•
If the connection is tunneled and HTTPS decryption is not enabled, this feature will not work for
requests going to HTTPS sites.
requests going to HTTPS sites.
•
According to RFC 2616, a browser client could have a toggle switch for browsing
openly/anonymously, which would respectively enable/disable the sending of Referer and from
information. The feature is exclusively dependent on the Referer header, and turning off sending
them would cause our feature not to work.
openly/anonymously, which would respectively enable/disable the sending of Referer and from
information. The feature is exclusively dependent on the Referer header, and turning off sending
them would cause our feature not to work.
•
According to RFC 2616, clients should not include a Referer header field in a (non-secure) HTTP
request if the referring page was transferred with a secure protocol. So, any request from an
HTTPS-based site to an HTTP-based site would not have the Referer header, causing this feature to
not work as expected.
request if the referring page was transferred with a secure protocol. So, any request from an
HTTPS-based site to an HTTP-based site would not have the Referer header, causing this feature to
not work as expected.
•
When a Decryption policy is set up such that when a custom category matches the Decryption policy
and the action is set to Drop, any incoming request for that category will be dropped, and no
bypassing will be done.
and the action is set to Drop, any incoming request for that category will be dropped, and no
bypassing will be done.