This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[SOLVED]HTTP Proxy / HTTPS SSL Scan Problem

Hello everyone!

I have got several WLAN VLANs for different SSIDs and for each VLAN there is a webproxy Profile being set. Once a WLAN user connects with his laptop his webproxy profile is being found - that works.

Further on each webproxy profile uses transparent mode or AD authentication - both works.

Users can browse through HTTP site using the transparent or set proxy.

BUT: Currently the Option "Scan HTTPS (SSL) traffic" is checked. To properly use a browser for surfing each user has to install the Astaro's (version 7.501) CA certificate I provide for download.

Our company's guest shouldn't do those "complex" stuff.
WISHED: NOT to scan HTTPS traffic for their connections.

BUT: When disabling "Scan HTTPS (SSL) traffic" NO SSL websites can be opend (no logon pages, nothing). Firefox even says "the proxy server is refusing connections".

Why doesn't it work to NOT use the proxy for HTTPS traffic? I don't want to go with the CA certificate for the users but it doesn't work.

The logs don't tell anything about any drops - there is nothing shown in the proxy/HTTP/s log file/s when this option is disabled.
I created a packet filter rule that HTTPS is allowed when not using the proxy. But nothing happens.

Urgent help needed [:(]

This thread was automatically locked due to age.

Parents

0 wingman over 15 years ago

If you have the HPPTS enabled then you need to deploy the certificate via GPO in which case the rule (picture 1 ) is NOT used.

Try to remove the "Scan HTTPS" and verify from the http log
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 wingman over 15 years ago

If you have the HPPTS enabled then you need to deploy the certificate via GPO in which case the rule (picture 1 ) is NOT used.

Try to remove the "Scan HTTPS" and verify from the http log
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 UweT over 15 years ago in reply to wingman

Oh, no no ...

THAT is the configuration currently used because unchecking the option causes that the users/guests cannot access HTTPS sites anylonger. And this is the actual problem!

Because then it looks like a timeout being in front of a guest's laptop. Either the packets are dropped... don't know.

Please be informed that I want to uncheck this option but also with that packet filter rule there is no success.
Cancel
Vote Up 0 Vote Down

Cancel
0 dilandau over 15 years ago in reply to UweT

Oh, no no ...

THAT is the configuration currently used because unchecking the option causes that the users/guests cannot access HTTPS sites anylonger. And this is the actual problem!

Because then it looks like a timeout being in front of a guest's laptop. Either the packets are dropped... don't know.

Please be informed that I want to uncheck this option but also with that packet filter rule there is no success.

Just to be clear, you want to allow https via the packetfilter rule and not scan it with the proxy?

Have you created a NAT masq for the guest network?
Cancel
Vote Up 0 Vote Down

Cancel
0 UweT over 15 years ago in reply to dilandau

What the...! [:O] [[:D]] [[:D]]

It's the NAT rules! A NAT masq rule was missing (WLAN-Guests -> Internet-Interface)! That's it!

It also explains why I even couldn't connect to a printer in an other VLAN although according Packet Filter rules have been set (even with Any destination and Any service) ...

Now, having NAT working for the Guest VLAN... the HTTPS access without scanning (and using a signing CA certificate) is working. I have to test further on but first impression looks very good!

THANK YOU to you ALL of course!
Cancel
Vote Up 0 Vote Down

Cancel