cancel
Showing results for 
Search instead for 
Did you mean: 

Modify HTTP Application

Jump to solution

I'm installing a new S4016 with version 8.3.1 and my customer has two servers that receive external connections, one of them dedicated to HTTP aplications only and the other to HTTPS aplications only. When I configure the HTTPS ACL I select "override port" and remove port 80. When I submit the ACL the firewall returns the following error:

Mod_HTTP_Appl.jpg

What do you suggest? Do I have to configure a "custom HTTPS" application with port TCP 443 only?

Regards!

JR

on 23/05/13 17:05:34 ART
1 Solution

Accepted Solutions
sliedl
Level 14
Report Inappropriate Content
Message 2 of 6

Re: Modify HTTP Application

Jump to solution

Use the SSL/TLS (HTTPS) application instead.

View solution in original post

5 Replies
sliedl
Level 14
Report Inappropriate Content
Message 2 of 6

Re: Modify HTTP Application

Jump to solution

Use the SSL/TLS (HTTPS) application instead.

View solution in original post

Re: Modify HTTP Application

Jump to solution

Sliedl, Thanks for your reply. And if I need an HTTP only application (TCP 80)? When I tried to override port on HTTP application with TCP 80 only in this case firewall returns almost same warning message telling you that HTTPS (TCP/443) is needed in order to properly work. What do you suggest?

Thanks very much!

JR

Highlighted
sliedl
Level 14
Report Inappropriate Content
Message 4 of 6

Re: Modify HTTP Application

Jump to solution

Here is how I understand what the firewall is presenting to us:


The HTTP application includes TCP/80 and SSL/443.  The 'SSL/443' part simply means 'This application can also function on SSL port 443'.  It says this so that the administrator can decide if he/she wants to decrypt the traffic

There is a very good section in the Firewall Enterprise Product Guide called 'Policy in Action' and in that section are two setups, one for inbound HTTPS decrypt/reencrypt and one for only decrypt (I suggest everyone read them if you have not yet).  There are these two statements in that section:

Create access control rules to control inbound HTTPS:
If an inbound SSL decryption rule is in place, you can use access control rules to allow and deny most
applications that use SSL if they include SSL ports (SSL/nn).

Because the HTTP application includes port SSL/443, it matches decrypted HTTPS in addition to normal
HTTP connections.

The 'Applications' on the firewall include the old smart proxies, like HTTP, SMTP, etc., and new Applications (signatures basically) for (mostly) HTTP-based 'applications' like Facebook Chat, etc.  These are almost always 'wrapped' in SSL, so if that can happen, the signature says that and you can decide to decrypt it.

What is confusing is that the HTTP application includes TCP/80 and SSL/443 but it will not pass traffic on port 443.  You must use the SSL/TLS (HTTPS) application to pass that traffic.  If you use only the HTTP application is will pass TCP/80 only.

Re: Modify HTTP Application

Jump to solution

Sliedl,

Thanks very much for your reply. Your experience in firewalls is a great contribution to this forum. I really appreciate that!.

Best Regards

Julio.

Re: Modify HTTP Application

Jump to solution

Agreed it is confusing.  I wish they would specify that somehow.   What i ended up doing is to modify the existing Internet Services as follows:   add HTTPS and then select "override ports" with the following: TCP/80 SSL/80,443.   This has worked for me.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community