I have a Web Gateway virtual, where I have configured wccp. Wccp is redirecting requests so its working fine. But URL filtering is not working. I have blocked cnn.com as a test, created an wildcard entry *cnn.com*.
If I set my proxy as explicit in my browser settings, URL filtering works. Everything I set to be blocked is being blocked.
When I let wccp do the redirecting, URL filtering is not working. In my live trace, I don't even see cnn.com, I just see IPs mostly.
It blocks certain IPs that are categorized as websites with bad reputation. That is standard config, mcafee maintained lists. But is not filtering anything custom.
I also have whitelisted SKYPE IPs and its causing skype to sign out and sign in every 5 min. Had to add a deny statement in my wccp ACL to not even send skype through the proxy.
From researching around I see why this is not working. This is a transparent setup and the host does its own dns lookup. All it sends to the web gateway is an IP. I need to set up the ssl scanner and the fix hostname ruleset.
Anybody has any documentation on how to do this, other than the generic ones I find in this website.
In a transparent deployment (WCCP, transparent router, etc.) there is a problem - the client is not 'aware' of the upstream proxy. As such, the client will perform its own DNS lookup to resolve the requested host to an IP, and then will make a request for that particular IP. When this request arrives at the Web Gateway, all the Web Gateway 'knows' about the request is the destination IP.
in case of Explicit proxy mode , after TCP 3 way handshake, CONNECT request is being sent for HTTPS request which contains URL.host information for MWG’s information and then SSL handshake starts.
In case of transparent setup , after TCP 3 way handshake wherein source IP Address will be actual client IP Address and destination IP Address will be the IP Address of the server which DNS response gave. In this case no CONNECT request is there.
So MWG only basically sees the destination IP Address which it will use for filtering and as common name in the certificate it presents to client.
In order to overcome this , MWG can make use of SNI information being sent in Client hello from the client and if not present, it can make use of fix hostname rule, wherein first MWG initiates an SSL connection with server and gets certificate from it and from that certificate , it takes common name as URL.host.
You can make use of Fix Hostname - rule.
Also please refer below link for more information on SSL Scanning MWG:-
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.