cancel
Showing results for 
Search instead for 
Did you mean: 
ittech
Level 13

Don't filter HTTPS for a specific group

Jump to solution

Is it possible to have HTTPS traffic filtered through the appliance, but to disable it for a specific group or IP set?

0 Kudos
1 Solution

Accepted Solutions
ittech
Level 13

Re: Don't filter HTTPS for a specific group

Jump to solution

Creating that second databse and set of authentication rules worked.

0 Kudos
11 Replies
jont717
Level 12

Re: Don't filter HTTPS for a specific group

Jump to solution

I would think so.  I have my SSL Scanner not apply to Finace / Banking sites.

So instead of Enable : Always

Set to: enable if client.ip is not in range (subnet)

0 Kudos
ittech
Level 13

Re: Don't filter HTTPS for a specific group

Jump to solution

I just came up with this:

If Connection.Protocol equals HTTPS

AND

Client.IP is in range X-Y

Stop cyle

I cant try it for about an hour, but I'll welcome any more thoughts.

0 Kudos
ittech
Level 13

Re: Don't filter HTTPS for a specific group

Jump to solution

@jont

This range is already Excluded from the SSL scanner. I want to just not filter this certain range at all.

Message was edited by: ittech on 3/17/11 1:27:52 PM EDT
0 Kudos
jont717
Level 12

Re: Don't filter HTTPS for a specific group

Jump to solution

If you do not want to filter that range at all you need to at a stop cyle rule like this: 

allowIPs.png

Put it in the Global Whitelist.

0 Kudos
ittech
Level 13

Re: Don't filter HTTPS for a specific group

Jump to solution

Sorry, what I meant was that I don't want to filter that range just for HTTPS, I still want to filter HTTP.

0 Kudos
ittech
Level 13

Re: Don't filter HTTPS for a specific group

Jump to solution

I had an epiphany!

Jont717, I don't know if you remember that we were having a similar problem of users getting a generic IE screen when their authentication TTL timed out on HTTPS pages?

That's why I was trying to figure out how to not filter HTTPS on a certain range of IP addresses; Our police officers in patrol cars were having this happen to them on a site that they need to do their job effectively. After an hour of being logged on, they wouldn't be able to access an online state database. My only solution was to up the TTL to about 12 hours (one shift for them), but that isn't acceptable for every other user on the network as everyone has a roaming profile and would create problems if we ever wanted to accurately use the web reporter. I finally realized I could make a second authentication database that still point to our AD, but has a different TTL! I know it's a workaround, but I am hoping that will solve this problem and can't believe I didn't think of it before.

Testing now, will report back.

0 Kudos
jont717
Level 12

Re: Don't filter HTTPS for a specific group

Jump to solution

Yes, good idea.  I also do that as well.  I have 2 different authentication rule sets.  I have our TTL set to 8 hours now.  Our computer users do not use different PCs so it works for us.

The best option might be for you to do it in your firewall.  We use a Cisco ASA and I have the traffic directed with an ACL.  I have two different ACLs. One for HTTP and one for HTTPS.  I can take any range of IP address out of the HTTPS ACL and that works great.

0 Kudos
ittech
Level 13

Re: Don't filter HTTPS for a specific group

Jump to solution

Our MWG7 is in between the firewall and the rest of the network, so everything passes through it. Would the having a seperate ACL still help in that situation?

0 Kudos
jont717
Level 12

Re: Don't filter HTTPS for a specific group

Jump to solution

How is it setup?  Transparent bridge?   We use Proxy and WCCP.  The only traffic that gets sent to our gateways is port 80 and 443. 

0 Kudos