cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ergamusai
Level 7
Report Inappropriate Content
Message 1 of 3
‎10-12-2018 02:53 PM

URL filtering with wccp not working

I have a Web Gateway virtual, where I have configured wccp. Wccp is redirecting requests so its working fine. But URL filtering is not working. I have blocked cnn.com as a test, created an wildcard entry *cnn.com*.

If I set my proxy as explicit in my browser settings, URL filtering works. Everything I set to be blocked is being blocked.

When I let wccp do the redirecting, URL filtering is not working. In my live trace, I don't even see cnn.com, I just see IPs mostly.

It blocks certain IPs that are categorized as websites with bad reputation. That is standard config, mcafee maintained lists. But is not filtering anything custom.

I also have whitelisted SKYPE IPs and its causing skype to sign out and sign in every 5 min. Had to add a deny statement in my wccp ACL to not even send skype through the proxy.

Any input is appreciated

Erga

 

 

1 person had this problem.
0 Kudos
Reply
2 Replies
ergamusai
Level 7
Report Inappropriate Content
Message 2 of 3
‎10-13-2018 06:07 AM

Re: URL filtering with wccp not working

From researching around I see why this is not working. This is a transparent setup and the host does its own dns lookup. All it sends to the web gateway is an IP. I need to set up the ssl scanner and the fix hostname ruleset.

Anybody has any documentation on how to do this, other than the generic ones I find in this website.

0 Kudos
Reply
aloksard
Employee
Employee
Report Inappropriate Content
Message 3 of 3
‎10-13-2018 07:37 AM

Re: URL filtering with wccp not working

Hi,

Hope you are doing well.

You are  correct here.

Please refer below link for complete details on this:-

https://community.mcafee.com/t5/Documents/Web-Gateway-HTTPS-in-transparent-deployments-and-how-SNI-c...

 

 In a transparent deployment (WCCP, transparent router, etc.) there is a problem - the client is not 'aware' of the upstream proxy.  As such, the client will perform its own DNS lookup to resolve the requested host to an IP, and then will make a request for that particular IP.  When this request arrives at the Web Gateway, all the Web Gateway 'knows' about the request is the destination IP.

 

in case of Explicit proxy mode , after TCP 3 way handshake, CONNECT request is being sent for HTTPS request which contains URL.host information for MWG’s information and then SSL handshake starts.

 

In case of transparent setup  , after TCP 3 way handshake wherein source IP Address will be actual client IP Address and destination IP Address will be the IP Address of the server which DNS response gave. In this case no CONNECT request is there.

 

So MWG only basically sees the destination IP Address which it will use for filtering and as common name in the certificate it presents to client.

 

In order to overcome this , MWG can make use of SNI information being sent in Client hello from the client and if not present, it can make use of fix hostname rule,  wherein first MWG initiates an SSL connection with server and gets certificate from it and from that certificate , it takes common name as URL.host.

 

You can make use of Fix Hostname - rule.

 

Also please refer below link for more information on SSL Scanning MWG:-

 

https://community.mcafee.com/t5/Documents/Web-Gateway-Understanding-quot-Client-Context-quot/ta-p/55...

 

https://community.mcafee.com/t5/Documents/Web-Gateway-SSL-Scanner-Rule-Examples/ta-p/554132

 

 

Regards

Alok Sarda

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC