This document describes how to resolve the problem of redirecting Google requests to an unexpected region, while using the Cisco Cloud Web Security (CWS) service.
There are no specific requirements for this document.
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Cisco Cloud Web Security (CWS) is a cloud based security solution that utilizes proxy servers located in data centers around the world. Users are provisioned on a proxy close to their geographical location to ensure the best performance, as well as the delivery of appropriate regional content.
When a user browses to a website via the CWS service, CWS inserts X-Forwarded-For (XFF) headers into each HTTP request. This allows Google to identify the source IP address of the request (your actual egress IP) rather than IP address of the CWS proxy. This is particularly important to users who are in a different region to the closest CWS proxy. For example, users in Spain would typically be provisioned on a proxy in the UK; the closest data center to their geographical location. Without the addition of the XFF header, Google would redirect requests to google.co.uk instead of google.es.
In 2013, Google updated the default search page behavior that redirected all HTTP requests to HTTPS. This prevents CWS from inserting the XFF header because the connection is now encrypted. In order to insert the XFF header on an encrypted connection, the HTTPS Inspection feature must be enabled in the CWS portal. Otherwise, Google's regional redirection decision will be based on the egress IP of the CWS proxy.
When a user browses to Google via the CWS service, they are redirected to an unexpected region. For example, a user in Miami browses to Google.com, but is redirected to Google Mexico (Google.com.mx), which causes the returned search page to be in Spanish.
Cisco worked with Google to develop a whitelist of CWS proxy egress IP addresses. In the event that CWS does not provide the XFF header (for non-inspected HTTPS requests), the request will be redirected to the Google regional domain, based on the whitelist.
With this solution in place, if CWS is unable to append the XFF header, or if Google fails to identify the CWS egress IP address, the user may still be redirected to an unexpected region. On these occasions, the only workaround available on the CWS side is to enable HTTPS Inspection. However, this problem might also occur when Google receives the XFF header, but references incorrect geo-location data for the user’s egress IP address. On these occasions, the issue cannot be resolved by CWS.