Cisco Cisco Web Security Appliance S190 Guía Del Usuario
17-3
AsyncOS 9.1 for Cisco Web Security Appliances User Guide
Chapter 17 Notify End-Users of Proxy Actions
End-User Acknowledgment Page
Access HTTPS and FTP Sites with the End-User Acknowledgment Page
The end-user acknowledgment page works because it displays an HTML page to the end user that forces
them to click an acceptable use policy agreement. After users click the link, the Web Proxy redirects
clients to the originally requested website. It keeps track of when users accepted the end-user
acknowledgment page using a surrogate (either by IP address or web browser session cookie) if no
username is available for the user.
them to click an acceptable use policy agreement. After users click the link, the Web Proxy redirects
clients to the originally requested website. It keeps track of when users accepted the end-user
acknowledgment page using a surrogate (either by IP address or web browser session cookie) if no
username is available for the user.
•
HTTPS. The Web Proxy tracks whether the user has acknowledged the end-user acknowledgment
page with a cookie, but it cannot obtain the cookie unless it decrypts the transaction. You can choose
to either bypass (pass through) or drop HTTPS requests when the end-user acknowledgment page is
enabled and tracks users using session cookies. Do this using the
page with a cookie, but it cannot obtain the cookie unless it decrypts the transaction. You can choose
to either bypass (pass through) or drop HTTPS requests when the end-user acknowledgment page is
enabled and tracks users using session cookies. Do this using the
advancedproxyconfig > EUN
CLI
command, and choose bypass for the “Action to be taken for HTTPS requests with Session based
EUA (“bypass” or “drop”).” command.
EUA (“bypass” or “drop”).” command.
•
FTP over HTTP. Web browsers never send cookies for FTP over HTTP transactions, so the Web
Proxy cannot obtain the cookie. To work around this, you can exempt FTP over HTTP transactions
from requiring the end-user acknowledgment page. Do this by creating a custom URL category
using “ftp://” as the regular expression (without the quotes) and defining and Identity policy that
exempts users from the end-user acknowledgment page for this custom URL category.
Proxy cannot obtain the cookie. To work around this, you can exempt FTP over HTTP transactions
from requiring the end-user acknowledgment page. Do this by creating a custom URL category
using “ftp://” as the regular expression (without the quotes) and defining and Identity policy that
exempts users from the end-user acknowledgment page for this custom URL category.
About the End-user Acknowledgment Page
•
When a user is tracked by IP address, the appliance uses the shortest value for maximum time
interval and maximum IP address idle timeout to determine when to display the end-user
acknowledgment page again.
interval and maximum IP address idle timeout to determine when to display the end-user
acknowledgment page again.
•
When a user is tracked using a session cookie, the Web Proxy displays the end-user acknowledgment
page again if the user closes and then reopens their web browser or opens a second web browser
application.
page again if the user closes and then reopens their web browser or opens a second web browser
application.
•
Using a session cookie to track users when the client accesses HTTPS sites or FTP servers using
FTP over HTTP does not work.
FTP over HTTP does not work.
•
When the appliance is deployed in explicit forward mode and a user goes to an HTTPS site, the
end-user acknowledgment page includes only the domain name in the link that redirects the user to
the originally requested URL. If the originally requested URL contains text after the domain name,
that text is truncated.
end-user acknowledgment page includes only the domain name in the link that redirects the user to
the originally requested URL. If the originally requested URL contains text after the domain name,
that text is truncated.
•
When the end-user acknowledgment page is displayed to a user, the access log entry for that
transaction shows OTHER as the ACL decision tag. This is because the originally requested URL
was blocked, and instead the user was shown the end-user acknowledgment page.
transaction shows OTHER as the ACL decision tag. This is because the originally requested URL
was blocked, and instead the user was shown the end-user acknowledgment page.
Configuring the End-User Acknowledgment Page
You can enable and configure the end-user acknowledgment page in the web interface or the command
line interface. When you configure the end-user acknowledgment page in the web interface, you can
include a custom message that appears on each page.
line interface. When you configure the end-user acknowledgment page in the web interface, you can
include a custom message that appears on each page.
In the CLI, use
advancedproxyconfig > eun
.
Before You Begin
•
To configure the display language and customize the displayed logo, see