Cisco Cisco Web Security Appliance S360 Guia De Resolução De Problemas
Why can't I login to MSN Live Messenger when
WSA decrypts HTTPS traffic?
WSA decrypts HTTPS traffic?
Document ID: 118151
Contributed by Jakob Dohrmann and Siddharth Rajpathak, Cisco TAC
Engineers.
Aug 05, 2014
Engineers.
Aug 05, 2014
Contents
Question:
Question:
Why can't I login to MSN Live Messenger when Cisco Web Security appliance (WSA) decrypts HTTPS
traffic?
traffic?
Environment: MSN Live Messenger, WSA with HTTPS proxy and decryption enabled
Symptoms: Can't login to MSN Live Messenger.
Access Logs show WSA decrypting traffic (DECRYPT_xxx) like below::
1265184887.178 67 xx.xx.xx.xx TCP_MISS_SSL/200 0 TCP_CONNECT 65.54.165.137:443 −
DIRECT/65.54.165.137 −
DECRYPT_ADMIN_7−DefaultGroup−DefaultGroup−NONE−NONE−NONE−DefaultGroup
<−,−,"−","−",−,−,−,"−","−",−,−,−,"−","−","−","−","−",−,−,−,−,"−","−","−","−","−","−",0.00,0,[Remote],"−","−">
−
DIRECT/65.54.165.137 −
DECRYPT_ADMIN_7−DefaultGroup−DefaultGroup−NONE−NONE−NONE−DefaultGroup
<−,−,"−","−",−,−,−,"−","−",−,−,−,"−","−","−","−","−",−,−,−,−,"−","−","−","−","−","−",0.00,0,[Remote],"−","−">
−
Root cause
MSN messenger uses the proxy settings configured in Internet Explorer (IE) browser. When MSN messenger
tries to connect to the MSN server, WSA intercepts the request and decrypts it by using the HTTPS certificate
uploaded or generated on WSA (Under GUI > Security Services > HTTPS proxy). Hence, the MSN
messenger receives a SSL certificate for the MSN server but signed/issued by the WSA proxy, which it
doesn't trust and so it doesn't proceed with logging in. .
tries to connect to the MSN server, WSA intercepts the request and decrypts it by using the HTTPS certificate
uploaded or generated on WSA (Under GUI > Security Services > HTTPS proxy). Hence, the MSN
messenger receives a SSL certificate for the MSN server but signed/issued by the WSA proxy, which it
doesn't trust and so it doesn't proceed with logging in. .
Solution
Import the proxy's HTTPS certificate in the client machine in IE.
You can download the certificate from the WSA under GUI > Security Services > HTTPS proxy > Edit
Settings > Download Certificate.
Settings > Download Certificate.
Note
By default, the decryption policies on WSA 'Decrypt' sites with WBRS score of −9.0 to +6.0. In most cases,
the MSN log−on pages would not normally fall in this default WBRS decryption range and hence this
behavior is unlikely to be observed on default configurations.
the MSN log−on pages would not normally fall in this default WBRS decryption range and hence this
behavior is unlikely to be observed on default configurations.