Allow Google reCAPTCHA when Access to Search Engine Portals Is Blocked

Available Languages

Download Options

  • PDF     (700.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (820.8 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (851.0 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:February 6, 2024
Document ID:221500

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the steps to allow Google reCAPTCHA in Secure Web Appliance (SWA), when you have blocked the access to Search Engine Portals.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco Secure Web Access and HTTPS decryption.

    Cisco recommends that you also have:

    • Physical or Virtual SWA Installed.
    • License activated or installed.
    • The setup wizard is completed.
    • Administrative Access to the SWA Graphical User Interface (GUI).

    Components Used

    This document is not restricted to specific software and hardware versions.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configuration Steps

    Step 1. From GUI navigate to Security Services and choose HTTPS Proxy, enable HTTPS decryption if it is not already enabled.

    note-icon

    Note: HTTPS Decryption must be enabled for this configuration. If it is not enabled, please refer the referenced article given at the end of this document.

    Step 2. From GUI navigate to Web Security Manager and choose Custom and External URL Categories, create two custom URL categories, one for google.com and the other for Google reCAPTCHA. Click Submit.

    Create Custom URL Category for GoogleCreate Custom URL Category for Google

    Create Custom URL Category for GoogleCreate Custom URL Category for Google

    Step 3. From GUI navigate to Web Security Manager and choose Decryption Policies, create decryption policy to decrypt google.com. Click None Selected next to the URL Categories and select Google custom URL category. Click Submit.

    Decryption Policy to Decrypt GoogleDecryption Policy to Decrypt Google

    Step 3.1. Navigate to Decryption Policies and click Monitor in line to the GoogleDecrypt policy.

    Step 3.2. Select Decrypt in line to Google Category and Click Submit.

    Select Created Custom URL Category for Google to Decrypt it in the Decryption PolicySelect Created Custom URL Category for Google to Decrypt it in the Decryption Policy

    Step 4. From GUI navigate to Web Security Manager and choose Access Policies, create Access policy to allow Google reCAPTCHA and select captchaallow as URL Categories.

    Access Policy to Allow Google RECAPTCHAAccess Policy to Allow Google RECAPTCHA

    Step 4.1. Navigate to Access Policies and click Monitor in line to the GoogleCaptchAccessPolicy policy. Select Allow in line to Captchaallow Category. Submit and Commit Changes.

    Select Created Custom URL Category for Google RECAPTCHA to Allow it in the Access PolicySelect Created Custom URL Category for Google RECAPTCHA to Allow it in the Access Policy

    Step 5. Make sure that Search Engines and Portals in Predefined URL Category Filtering is blocked in the global access policy:

    Default Policy to Block the Access to Search EnginesDefault Policy to Block the Access to Search Engines

    Verify

    You can see access to Google reCAPTCHA works, but search engine (Google) access is still denied, after you enable HTTPS decryption and allow the access to Google reCAPTCHA in the access policy:

    Google CAPTCHA is workingGoogle CAPTCHA Works

    1675880489.667 279 10.106.40.203 TCP_MISS_SSL/200 23910 GET https://www.google.com:443/recaptcha/api2/anchor?ar=1&k=6LdN4qUZAAAAAPyazim2yiy0gbIk_6lleC09ISAe&co=... - DIRECT/www.google.com text/html ALLOW_CUSTOMCAT_12-GoogleCaptchaAccessPolicy-DefaultGroup-NONE-NONE-NONE-DefaultGroup-NONE <"C_Capt",6.9,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"IW_srch",-,"-","Search Engines and Portals","-","Unknown","Unknown","-","-",685.59,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-,-> - - -

    Google site is BlockedGoogle Site is Blocked

    1675880581.157 0 10.106.40.203 TCP_DENIED/403 0 GET "https://google.com/favicon.ico" - NONE/- - BLOCK_WEBCAT_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-NONE-NONE <"IW_srch",6.9,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"IW_srch",-,"-","Search Engines and Portals","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-,-> - - -

    Troubleshoot

    If the access to the Google reCAPTCHA is blocked, you can check the access logs in the SWA CLI. If you see Google URL and not the Google reCAPTCHA URL, it can be that decryption is not enabled:

    1675757652.291 2 192.168.100.79 TCP_DENIED/403 0 CONNECT tunnel://www.google.com:443/ - NONE/- - BLOCK_WEBCAT_12-DefaultGroup-Finance_Access_Systems-NONE-NONE-NONE-NONE-NONE

    References

    Revision History

    Revision Publish Date Comments
    1.0
    15-Feb-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Anil Rajan
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products