I would think so. I have my SSL Scanner not apply to Finace / Banking sites.
So instead of Enable : Always
Set to: enable if client.ip is not in range (subnet)
I just came up with this:
If Connection.Protocol equals HTTPS
Client.IP is in range X-Y
I cant try it for about an hour, but I'll welcome any more thoughts.
This range is already Excluded from the SSL scanner. I want to just not filter this certain range at all.
Sorry, what I meant was that I don't want to filter that range just for HTTPS, I still want to filter HTTP.
I had an epiphany!
Jont717, I don't know if you remember that we were having a similar problem of users getting a generic IE screen when their authentication TTL timed out on HTTPS pages?
That's why I was trying to figure out how to not filter HTTPS on a certain range of IP addresses; Our police officers in patrol cars were having this happen to them on a site that they need to do their job effectively. After an hour of being logged on, they wouldn't be able to access an online state database. My only solution was to up the TTL to about 12 hours (one shift for them), but that isn't acceptable for every other user on the network as everyone has a roaming profile and would create problems if we ever wanted to accurately use the web reporter. I finally realized I could make a second authentication database that still point to our AD, but has a different TTL! I know it's a workaround, but I am hoping that will solve this problem and can't believe I didn't think of it before.
Testing now, will report back.
1 of 1 people found this helpful
Yes, good idea. I also do that as well. I have 2 different authentication rule sets. I have our TTL set to 8 hours now. Our computer users do not use different PCs so it works for us.
The best option might be for you to do it in your firewall. We use a Cisco ASA and I have the traffic directed with an ACL. I have two different ACLs. One for HTTP and one for HTTPS. I can take any range of IP address out of the HTTPS ACL and that works great.
Our MWG7 is in between the firewall and the rest of the network, so everything passes through it. Would the having a seperate ACL still help in that situation?
How is it setup? Transparent bridge? We use Proxy and WCCP. The only traffic that gets sent to our gateways is port 80 and 443.