Cisco Cisco Web Security Appliance S360 トラブルシューティングガイド
IE may incorrectly send requests to WSA on
non−proxy port when PAC file is used
non−proxy port when PAC file is used
Document ID: 118153
Contributed by Kei Ozaki and Siddharth Rajpathak, Cisco TAC
Engineers.
Engineers.
Aug 05, 2014
Contents
Question:
Question:
IE may incorrectly send requests to WSA on non−proxy port when PAC file is used
Environment: Cisco Web Security Appliance (Any Version), Internet Explorer 6,7,8
Symptoms: Requests are sent to WSA's non−proxy port and are being blocked/dropped
Under certain circumstances Internet Explorer (IE) may incorrectly send requests to the wrong port on Cisco
Web Security Appliance (WSA).
Web Security Appliance (WSA).
This seems to happen when condition below are met
IE is configured to use PAC file
1.
PAC file is set to bypass proxying for WSA's IP address
2.
"End User Notification" Page includes an reference, most commonly the logo image, which is hosted
on WSA
on WSA
3.
URL referencing the logo matches the returning "PROXY" value in PAC file.
4.
When above conditions are met, IE will incorrectly send HTTP requests to the port which logo is hosted on.
Example PAC file configuration:
function FindProxyForURL(url, host) {
if (isInNet(host,"10.0.0.0","255.0.0.0")) return "DIRECT";
else return "PROXY wsa−hostname:80";
}
if (isInNet(host,"10.0.0.0","255.0.0.0")) return "DIRECT";
else return "PROXY wsa−hostname:80";
}
Example Link to the logo: http://wsa_hostname:9001/logo.png (wsa−hostname resolving an IP in
10.0.0.0/8 subnet)
10.0.0.0/8 subnet)
Using the example configuration above, IE will send requests to wsa−hostname:9001.
Symptom is mostly seen when a proceeding request is blocked and the EUN page presented will render the
logo to be loaded. When user clicks on a link, request to this link goes to wsa−hostname:9001 instead of
logo to be loaded. When user clicks on a link, request to this link goes to wsa−hostname:9001 instead of