Introduction
This document describes the problem of EUN pages displaying incorrectly on the Cisco SWA for explicit HTTPS requests.
Prerequisites
Requirements
The information in this document assumes that:
- The Secure Web Appliance (SWA) is deployed in Explicit mode.
- The SWA is running on versions 7.7.0 and earlier.
- The HTTPS requests are either blocked, warned, or require user acknowledgement.
- HTTPS Decryption is enabled.
Components Used
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Problem
The Warning, Acknowledgement, or End User Notification (EUN) pages do not display correctly for explicit HTTPS requests. The browser displays an incomplete notification page, or it does not display the page at all and instead displays an error page.
There are several issues that surround these pages when you use explicit HTTPS requests. When you configure your browser to use a proxy, HTTPS traffic is directed to the SWA over HTTP. This request is formatted as an HTTPS over HTTP.
There are two known issues with browsers that do not correctly handle the HTTP replies that the SWA returns for explicit HTTPS requests:
- When an explicit HTTPS request is either blocked, warned, or requires user acknowledgement, the SWA returns a HTTP/403 status code.
- Within this reply, the SWA includes the notification content that must normally be rendered on the screen so that it is viewable. However, in some cases, the browser cannot understand the reply within the returned content.
This is the browser behavior that is observed:
- When Internet Explorer Version 6 (IE6) and some versions of IE7 are used, these requests fail to render the full content of the HTML reply. The browser only honors the first few bytes (the content within the first packet) and ignores the rest. In such cases, you see an incomplete page that displays only a few characters.
Note: If this is the case, Cisco recommends that you shrink the default notification page from the SWA reply. For more information about how to edit your EUN page, refer to the Editing Notification Page HTML Files Directly section of the SWA User Guide.
- When IE8 and newer versions of Mozilla Firefox Release 3 are used, the browser completely ignores the reply that the SWA returns and masks it with its own error page. This browser behavior defeats the purpose of the 403 notification and causes disruption with the feature.
Solution
This section describes the process that occurs when HTTPS Decryption is enabled on the SWA. This issue has been addressed in SWA version 7.7.0-500 and later (Cisco bug ID CSCzv25138) As a workaround to the previously described problem, use the information provided in order to ensure that your system is configured accordingly.
Here is an example of the traffic flow when an explicit HTTPS request is sent:
- When HTTPS Decryption is enabled, the SWA first validates the request against the Decryption policies.
- If the request is marked for PASSTHROUGH, then the traffic is allowed through (no warning or EUN).
- If the request is marked as DECRYPTED, then the request is validated against the Access policies. In this case, if the Access policy is configured in order to WARN or BLOCK, then the EUN page displays correctly. Unfortunately, for Acknowledgement the user must navigate to the HTTP page and Acknowledge, which requires navigation through the proxy and then to the HTTPS site.
- The SWA remembers the client IP address and does not require another Acknowledgement until the timer expires.
Related Information
Feedback