Final Notes and References

We now have transparently redirected HTTP and HTTPS traffic from Cisco ASA firewall to the farm of Squid servers using WCCP protocol. Both HTTP and HTTPS traffic is monitored and filtered.

The following references may prove to be helpful on this subject.

• http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116046-config-wccp-asa-00.html

• https://supportforums.cisco.com/document/48341/asa-wccp-step-step-configuration

• http://wiki.squid-cache.org/Features/Wccp2

• https://www.crypt.gen.nz/papers/cisco_squid_wccp/

Some more ideas to implement.

• Allow HTTP(S) connections from Squid farms only. By default if WCCP redirection fails Cisco ASA will let the traffic to freely flow to the Internet. If this is not desired the following article will help - https://supportforums.cisco.com/document/98161/asa-wccp-fail-close

• Block QUIC protocol to force Google Chrome to fallback to normal HTTP(S) and thus get filtered. See article http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol