Cisco Cisco Web Security Appliance S680 Guía Del Usuario
A-9
AsyncOS 9.1.1 for Cisco Web Security Appliances User Guide
Appendix A Troubleshooting
HTTPS/Decryption/Certificate Problems
As a result, transparently redirected HTTPS transactions only match Routing Policies that do not
define Routing Policy Group membership criteria by URL category. If all user-defined Routing Policies
define their membership by URL category, transparent HTTPS transactions match the Default Routing
Policy Group.
define Routing Policy Group membership criteria by URL category. If all user-defined Routing Policies
define their membership by URL category, transparent HTTPS transactions match the Default Routing
Policy Group.
HTTPS Request Failures
•
•
HTTPS with IP-based Surrogates and Transparent Requests
If the HTTPS request comes from a client that does not have authentication information available from
an earlier HTTP request, AsyncOS either fails the HTTPS request or decrypts the HTTPS request in
order to authenticate the user, depending on how you configure the HTTPS Proxy. Use the HTTPS
Transparent Request setting on the Security Services > HTTPS Proxy page to define this behavior. Refer
to the Enabling HTTPS Proxy section in Decryption Policies chapter.
an earlier HTTP request, AsyncOS either fails the HTTPS request or decrypts the HTTPS request in
order to authenticate the user, depending on how you configure the HTTPS Proxy. Use the HTTPS
Transparent Request setting on the Security Services > HTTPS Proxy page to define this behavior. Refer
to the Enabling HTTPS Proxy section in Decryption Policies chapter.
Different Client “Hello” Behavior for Custom and Default Categories
When scanning packet captures, you may notice that the “Client Hello” handshake is sent at different
times for custom category and default (Web) category HTTPS Decryption pass-through policies.
times for custom category and default (Web) category HTTPS Decryption pass-through policies.
For an HTTPS page passed through via the default category, the Client Hello is sent before receipt of a
Client Hello from the requestor, and the connection fails. For an HTTPS page passed through via a
custom URL category, the Client Hello is sent after the Client Hello is received from the requestor, and
the connection is successful.
Client Hello from the requestor, and the connection fails. For an HTTPS page passed through via a
custom URL category, the Client Hello is sent after the Client Hello is received from the requestor, and
the connection is successful.
As a remedy, you can create a custom URL category with a pass-through action for SSL 3.0-only-compatible
Web pages.
Web pages.
Bypassing Decryption for Particular Websites
Some HTTPS servers do not work as expected when traffic to them is decrypted by a proxy server, such
as the Web Proxy. For example, some websites and their associated web applications and applets, such
as high security banking sites, maintain a hard-coded list of trusted certificates instead of relying on the
operating system certificate store.
as the Web Proxy. For example, some websites and their associated web applications and applets, such
as high security banking sites, maintain a hard-coded list of trusted certificates instead of relying on the
operating system certificate store.
You can bypass decryption for HTTPS traffic to these servers to ensure all users can access these types
of sites.
of sites.
Step 1
Create a custom URL category that contains the affected HTTPS servers by configuring the Advanced
properties.
properties.
Step 2
Create a Decryption Policy that uses the custom URL category created in
Step 1
as part of its
membership, and set the action for the custom URL category to Pass Through.