The following information details a common issue we run into when assisting clients with the deployment of Cisco’s Cloud Web Security service (historically referred to as Scansafe).  Some of the default policy settings that are included may create application issues, especially for applications that inherit their proxy settings from browser (e.g., iTunes).

Alternatively, you may want (or need) to exempt all traffic from a specific application from going through the cloud proxy in an effort to reduce the amount of data that flows through the Cloud Infrastructure.  The ability to create exceptions or exemptions outlined in this post are relevant ONLY to Windows Connector Architectures and upcoming ability to run the connector on the virtual Web Security Appliance.

For scansafe / CWS connector issues that require creating an exception or exemption for a specific application, you can simply add filters to the agent.properties file based on the user agent’s “regular expression”.  The agent.properties file is located in the following folder:

C:\Program Files\Connector\agent.properties

You can edit the connector’s agent.properties file and add exceptions using notepad.  You will need to look for the line that begins with:

user.agent.skip.authentication=true

Make sure that the above is set to “true”.  The syntax for adding exceptions for particular applications that may get blocked due to proxy inheritance issues (such as iTunes) is as follows:

user.agent.skip.authentication.regexp=(AppleWebKit)|(iTunes)

You can create exceptions for applications that inherit the default proxy settings and as an unintended result, get blocked, as well as create exceptions for applications that you wish to bypass the proxy auth / scansafe / CWS tower all together.

The Following is an overview of the process to identify the correct syntax and regular expressions used to create an exception for the application iTunes.

To identify the particular application that is failing and what expression to input for the exception, you need to do a packet capture.  It works best if you can limit the capture to the host you are replicating the issue on.  In addition, it is recommended to try and limit the time of the capture as well.  If you can replicate the use case during a packet capture in 20 to 30 seconds, it is going to make it easier to find the specific details. When performing the packet capture, using a familiar product such as Wireshark is recommended.  The process is as follows:

1.  Capture the info in a “file.pcap” format

2.  Set the filter to the following:

http.request

3.  Look for 407 or 4## messages that show the error.

4.  Find the error and right click “Follow TCP Stream”

You will (should) see information or details similar to the following:

GET http://itunes.apple.com/WebObjects/MZStore.woa/wa/storeFront HTTP/1.1

X-Apple-Tz: -28800

X-Apple-Store-Front: 143441-1,12

User-Agent: iTunes/10.5.1 (Windows; Microsoft Windows XP Professional Service Pack 2 (Build 2600)) AppleWebKit/534.51.22

GET http://itunes.apple.com/WebObjects/MZStore.woa/wa/storeFront HTTP/1.1

X-Apple-Tz: -28800

X-Apple-Store-Front: 143441-1,12

User-Agent: iTunes/10.5.1 (Windows; Microsoft Windows XP Professional Service Pack 2 (Build 2600)) AppleWebKit/534.51.22

Accept-Language: en-us, en;q=0.50

Accept-Encoding: gzip

Host: itunes.apple.com

HTTP/1.0 407 Proxy access denied

Proxy-Authenticate: NTLM

Proxy-Connection: keep-alive

Content-Length: 0

Look for the User-Agent string to identify the regular expression to use for the application specific connection problems or exemption.  The regular expressions are NOT case sensitive.  For our example with iTunes, we would need to add both of the following expressions:

(iTunes)|(AppleWebKit)

Because we identified two distinct components identified in the User-Agent details, we need to include both by invoking pipe (“|”) as the (or) operator.  If you look at the sample packet capture info above you will see both iTunes/10.5.1 AND AppleWebKit/534.51.22 in the User-Agent: details.  Since a semicolon separates them, they may both be necessary to ensure proper exception handling.

If you run into issues attempting to replicate the above, feel free to test other user agent settings. Alternatively, feel free to send us a message or comment.