WSA Warning, Acknowledgement, and EUN Pages Do Not Display Correctly for Explicit HTTPS Requests

Introduction

This document describes a problem that is encountered on the Cisco Web Security Appliance (WSA) when the Warning, Acknowledgement, or End User Notification (EUN) pages do not display correctly for explicit HTTPS requests. A workaround for this problem is also provided.

Prerequisites

Requirements

The information in this document assumes that:

• The WSA proxy addresses are deployed in Explicit mode.
• The HTTPS requests are either blocked, warned, or require user acknowledgement.

Components Used

The information in this document is based on the Cisco WSA.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Problem

The Warning, Acknowledgement, or EUN pages do not display correctly for explicit HTTPS requests. The browser displays an incomplete notification page, or it does not display the page at all and instead displays an error page.

There are several issues that surround these pages when you use explicit HTTPS requests. When you configure your browser to use a proxy, HTTPS traffic is directed to the WSA over HTTP. This request is formatted as an HTTPS over HTTP.

There are two known issues with browsers that do not correctly handle the HTTP replies that the WSA returns for explicit HTTPS requests. When an explicit HTTPS request is either blocked, warned, or requires user acknowledgement, the WSA returns a 403 status code. Within this reply, the WSA includes the notification content that should normally be rendered on the screen so that it is viewable. However, in some cases, the browser cannot understand the reply within the returned content.
This is the browser behavior that is observed:

• When Internet Explorer Version 6 (IE6) and some versions of IE7 are used, these requests fail to render the full content of the HTML reply. The browser only honors the first few bytes (the content within the first packet) and ignores the rest. In such cases, you see an incomplete page that displays only a few characters.
  

  Note: If this is the case, Cisco recommends that you shrink the default notification page from the WSA reply. For more information about how to edit your EUN page, refer to the Editing IronPort Notification Pages section of the WSA User Guide.

• When IE8 and newer versions of Mozilla Firefox Release 3 are used, the browser completely ignores the reply that the WSA returns and masks it with its own error page. This browser behavior defeats the purpose of the 403 notification and causes disruption with the feature.

Solution

This section describes the process that occurs when HTTPS Decryption is enabled on the WSA. As a workaround to the previously described problem, use the information provided in order to ensure that your system is configured accordingly.

Here is an example of the traffic flow when an explicit HTTPS request is sent:

• When HTTPS Decryption is enabled, the WSA first validates the request against the Decryption policies.
  
  
• If the request is marked for PASSTHROUGH, then the traffic is allowed through (no warning or EUN).
  
  
• If the request is marked as DECRYPTED, then the request is validated against the Access policies. In this case, if the Access policy is configured in order to WARN or BLOCK, then the EUN page displays correctly. Unfortunately, for Acknowledgement the user must navigate to the HTTP page and Acknowledge, which requires navigation through the proxy and then to the HTTPS site.
  
  
• The WSA remembers the client IP address and does not require another Acknowledgement until the timer expires.