Hi
Web Gateway 5.0.3 installed on ESXi server in inline+proxy block mode in a "non-supported configuration"
Lan -> Cisco ASA1 -> Web Gateway -> Cisco ASA2
Lan -> Cisco ASA1 (routing no NAT) i am able to see the client requests from their original ip adresses
Lan clients Default Gateway = Cisco ASA1
Web Gateway default Gateway Cisco ASA2
Network traffic reaches The CIsco ASA1,then pasess thgrough Web Gateway and then goes to CIsco ASA2
Problem no.1.
The Inline interface is connected between the two Cisco routers,the MGMT interface is connected to the LAN switch.All the traffic passess thgrough the web gateway.Using LDAP authentication with dcinterface.Dcinterface is installed on all three DC`s,the Management intreface name is configured as the host in the dcinterface txt file,a static dns record is created for the Management interface.When creating policies i am able to see and choose from the groups in A.D. If i create a test policy using an A,D. group the policy does not work,the same policy works fine if i change it to use a ip range or a subnet.Also i dont see any user names displayed in the custom reports(computer names mostly and some ip adresess).Testing LDAP from the authentication tab shows success.
The question:The Management interface is responsible for authentication.The dcinterface installed on the domain controllers contact the Management interface and that interface only (TCP 60517) and only the Management interface queries the domain controllers (TCP 389) ? Also besides for authentication and software updates is the Management interface used for NTP comunication or if the Management interface cannot contact ant NTP server it switches over to the Inline interface?
Problem no.2
The Inline ip adress is configured as a proxy for the clients.No problems occur when using the proxy (all the web pages are displayed without any problems and without delays) although the Inline interface is not in the same subnet as the clients.The use of the proxy is to block http and https access to some categoris of social media web sites (facebook).The Web Gateway is configured with both http/s and ssl inspection proxy.The clients use the HTTP proxy and use the SSL proxy.
The social networking category is blocked and at the bottom of the policy www.facebook.com and facebook.com are added as exceptions to block also. When accessing http://facebook.com the block page appears(stating that the site is blocked as being categorised as social networking),when accessing https://facebook.com and there is no intercept policy "page cannot be displayed" appears which is by design.If i create an intercept policy for all categories and try to access https://facebook.com the page opens normally(which should not).The Web Gateway`s certificate is exported fom the proxy tab and imported in to the web browser.
The question(s):Is the Management interface responsible for delivering the end user page to the client or is the Inline interface responsible?
In the implementation guide there is a statement "The custom blacklist is not supported over HTTPS".This refers to using the HTTPS proxy not the SSL proxy????
Thanks