Cisco Cisco Web Security Appliance S170 Guía Del Usuario
28-5
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 28 Common Tasks
Bypassing Decryption for specific HTTPS Websites
Step 9
In the Insert Above field, verify this Identity is above all other Identities that require authentication and
below all Identities that do not require authentication.
below all Identities that do not require authentication.
Step 10
Under Membership Definition, click Advanced to expand the advanced policy options.
Step 11
Click the link next to URL Categories.
Step 12
On the Identities: Policy “WebsitesToBypassAuth”: Membership by URL Categories page, in the
Custom URL Categories section, click in the Add column for the custom URL category created in
Custom URL Categories section, click in the Add column for the custom URL category created in
.
Step 13
Click Done.
Step 14
Click Submit.
Step 15
Navigate to the Web Security Manager > Access Policies page.
Step 16
Click Add Policy.
Step 17
In the Policy Name field, enter a name for this policy, such as
APBypassAuthWebsites
.
Step 18
In the Identities and Users field, choose “Select One or More Identities.”
Step 19
In the Identity field, select the Identity created in
Step 20
Submit and Commit your changes.
Now, Microsoft Windows updater running on each client machine will be able to access the multiple
Microsoft servers listed in
Microsoft servers listed in
to receive Windows updates. Additionally, when users try to access the
partner website listed in
(
mypartnersite.com
), they are able to view the site with no problem and
without being prompted for their username and password.
Where to Find More Information
You can read the following sections for more detailed information on the steps included in this task:
•
•
•
Bypassing Decryption for specific HTTPS Websites
In this task, you will pass through traffic to specific HTTPS websites. You might want to do this to allow
users to access the HTTPS website, while still inspecting traffic to other websites.
users to access the HTTPS website, while still inspecting traffic to other websites.
Some websites and web-based applications that use HTTPS do not work when the Web Security
appliance decrypts the traffic between the client and the server. If you trust these HTTPS websites, you
can configure the appliance to pass through traffic from clients to the HTTPS servers instead of
decrypting the traffic to inspect for malware and to enforce acceptable use policies.
appliance decrypts the traffic between the client and the server. If you trust these HTTPS websites, you
can configure the appliance to pass through traffic from clients to the HTTPS servers instead of
decrypting the traffic to inspect for malware and to enforce acceptable use policies.
For example, users have been complaining about not being able to access a partner website that uses
HTTPS while connected to the local network. IT has learned from reading the Web Security appliance
access logs that the partner’s HTTPS server is not fully RFC compliant with HTTPS and cannot
communicate properly with the HTTPS Proxy when it decrypts traffic between clients and the HTTPS
server. By bypassing all HTTPS traffic to the partner’s website, you can still allow access while
decrypting traffic to other HTTPS servers.
HTTPS while connected to the local network. IT has learned from reading the Web Security appliance
access logs that the partner’s HTTPS server is not fully RFC compliant with HTTPS and cannot
communicate properly with the HTTPS Proxy when it decrypts traffic between clients and the HTTPS
server. By bypassing all HTTPS traffic to the partner’s website, you can still allow access while
decrypting traffic to other HTTPS servers.
This task assumes that the HTTPS Proxy is enabled and decrypts traffic by default.