User Guide for AsyncOS 10.1.0 For Cisco Web Security ...

[Pages:504]AsyncOS 10.1 for Cisco Web Security Appliances User Guide

Published: June 1, 2017 Revised: October 19, 2017

Cisco Systems, Inc.

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at go/offices.

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ().

This product includes cryptographic software written by Eric Young (eay@).

This product includes software written by Tim Hudson (tjh@).

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED "AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

AsyncOS 10.1 for Cisco Web Security Appliances User Guide ? 2017 Cisco Systems, Inc. All rights reserved.

CONTENTS

1 C H A P T E R 2 C H A P T E R

Introduction to the Product and the Release 1-1 Introduction to the Web Security Appliance 1-1 What's New 1-1 What's New in Cisco AsyncOS 10.1.1 1-2 What's New in Cisco AsyncOS 10.1.0 1-2 What's New in Cisco AsyncOS 10.0.0 1-3 Related Topics 1-4 Using the Appliance Web Interface 1-5 Web Interface Browser Requirements 1-5 Enabling Access to the Web Interface on Virtual Appliances 1-5 Accessing the Appliance Web Interface 1-6 Committing Changes in the Web Interface 1-6 Clearing Changes in the Web Interface 1-7 The Cisco SensorBase Network 1-7 SensorBase Benefits and Privacy 1-7 Enabling Participation in The Cisco SensorBase Network 1-7

Connect, Install, and Configure 2-1 Overview of Connect, Install, and Configure 2-1 Deploying a Virtual Appliance 2-2 Migrating from a Physical to a Virtual Appliance 2-2 Comparison of Modes of Operation 2-2 Task Overview for Connecting, Installing, and Configuring 2-5 Connecting the Appliance 2-6 Gathering Setup Information 2-8 System Setup Wizard 2-10 System Setup Wizard Reference Information 2-11 Network / System Settings 2-11 Network / Network Context 2-12 Network / Cloud Connector Settings 2-12 Network / Network Interfaces and Wiring 2-13 Network / Layer 4 Traffic Monitor Wiring 2-13

AsyncOS 10.1 for Cisco Web Security Appliances User Guide

1

Contents

Network / Routes for Management and Data Traffic 2-14 Network / Transparent Connection Settings 2-14 Network /Administrative Settings 2-15 Security / Security Settings 2-16

Upstream Proxies 2-16 Upstream Proxies Task Overview 2-17 Creating Proxy Groups for Upstream Proxies 2-17

Network Interfaces 2-18 IP Address Versions 2-18 Enabling or Changing Network Interfaces 2-19

Configuring Failover Groups for High Availability 2-21 Add Failover Group 2-21 Edit High Availability Global Settings 2-22 View Status of Failover Groups 2-22

Using the P2 Data Interface for Web Proxy Data 2-23 Configuring TCP/IP Traffic Routes 2-24 Modifying the Default Route 2-25 Adding a Route 2-25 Saving and Loading Routing Tables 2-25 Deleting a Route 2-25 Configuring Transparent Redirection 2-26 Specifying a Transparent Redirection Device 2-26 Using An L4 Switch 2-26 Configuring WCCP Services 2-27 Increasing Interface Capacity Using VLANs 2-30 Configuring and Managing VLANs 2-30

Redirect Hostname and System Hostname 2-32 Changing the Redirect Hostname 2-33 Changing the System Hostname 2-33 Configuring SMTP Relay Host Settings 2-33 Configuring an SMTP Relay Host 2-34

DNS Settings 2-34 Split DNS 2-34 Clearing the DNS Cache 2-34 Editing DNS Settings 2-35

Troubleshooting Connect, Install, and Configure 2-35

3 C H A P T E R

Connect the Appliance to a Cisco Cloud Web Security Proxy 3-1 How to Configure and Use Features in Cloud Connector Mode 3-1

AsyncOS 10.1 for Cisco Web Security Appliances User Guide

2

Contents

4 C H A P T E R

Deployment in Cloud Connector Mode 3-2 Configuring the Cloud Connector 3-2 Controlling Web Access Using Directory Groups in the Cloud 3-5 Bypassing the Cloud Proxy Server 3-5 Partial Support for FTP and HTTPS in Cloud Connector Mode 3-5 Preventing Loss of Secure Data 3-6 Viewing Group and User Names and IP Addresses 3-6 Subscribing to Cloud Connector Logs 3-6 Identification Profiles and Authentication with Cloud Web Security Connector 3-7

Identifying Machines for Policy Application 3-7 Guest Access for Unauthenticated Users 3-8

Intercepting Web Requests 4-1 Overview of Intercepting Web Requests 4-1 Tasks for Intercepting Web Requests 4-2 Best Practices for Intercepting Web Requests 4-2 Web Proxy Options for Intercepting Web Requests 4-3 Configuring Web Proxy Settings 4-3 Web Proxy Cache 4-5 Clearing the Web Proxy Cache 4-6 Removing URLs from the Web Proxy Cache 4-6 Specifying Domains or URLs that the Web Proxy never Caches 4-6 Choosing The Web Proxy Cache Mode 4-7 Web Proxy IP Spoofing 4-8 Web Proxy Custom Headers 4-9 Adding Custom Headers To Web Requests 4-9 Web Proxy Bypassing 4-10 Web Proxy Bypassing for Web Requests 4-10 Configuring Web Proxy Bypassing for Web Requests 4-10 Configuring Web Proxy Bypassing for Applications 4-11 Web Proxy Usage Agreement 4-11 Client Options for Redirecting Web Requests 4-11 Using PAC Files with Client Applications 4-12 Options For Publishing Proxy Auto-Config (PAC) Files 4-12 Client Options For Finding Proxy Auto-Config (PAC) Files 4-12 Automatic PAC File Detection 4-12 Hosting PAC Files on the Web Security Appliance 4-12 Specifying PAC Files in Client Applications 4-13

AsyncOS 10.1 for Cisco Web Security Appliances User Guide

3

Contents

Configuring a PAC File Location Manually in Clients 4-13 Detecting the PAC File Automatically in Clients 4-14 FTP Proxy Services 4-14 Overview of FTP Proxy Services 4-14 Enabling and Configuring the FTP Proxy 4-15 SOCKS Proxy Services 4-16 Overview of SOCKS Proxy Services 4-16 Enabling Processing of SOCKS Traffic 4-17 Configuring the SOCKS Proxy 4-17 Creating SOCKS Policies 4-17 Troubleshooting Intercepting Requests 4-18

5 C H A P T E R

Acquire End-User Credentials 5-1

Overview of Acquire End-User Credentials 5-1 Authentication Task Overview 5-2

Authentication Best Practices 5-2

Authentication Planning 5-2 Active Directory/Kerberos 5-4 Active Directory/Basic 5-5 Active Directory/NTLMSSP 5-6 LDAP/Basic 5-6 Identifying Users Transparently 5-6 Understanding Transparent User Identification 5-7 Rules and Guidelines for Transparent User Identification 5-9 Configuring Transparent User Identification 5-10 Using the CLI to Configure Advanced Transparent User Identification Settings 5-10 Configuring Single-Sign-on 5-11

Authentication Realms 5-11 External Authentication 5-12 Configuring External Authentication through an LDAP Server 5-12 Enabling RADIUS External Authentication 5-12 Creating an Active Directory Realm for Kerberos Authentication Scheme 5-12 How to Create an Active Directory Authentication Realm (NTLMSSP and Basic) 5-15 Prerequisites for Creating an Active Directory Authentication Realm (NTLMSSP and Basic) 5-15 About Using Multiple NTLM Realms and Domains 5-15 Creating an Active Directory Authentication Realm (NTLMSSP and Basic) 5-16 Creating an LDAP Authentication Realm 5-17 About Deleting Authentication Realms 5-22 Configuring Global Authentication Settings 5-22

AsyncOS 10.1 for Cisco Web Security Appliances User Guide

4

Contents

6 C H A P T E R

Authentication Sequences 5-27 About Authentication Sequences 5-28 Creating Authentication Sequences 5-28 Editing And Reordering Authentication Sequences 5-29 Deleting Authentication Sequences 5-29

Failed Authentication 5-29 About Failed Authentication 5-30 Bypassing Authentication with Problematic User Agents 5-30 Bypassing Authentication 5-32 Permitting Unauthenticated Traffic While Authentication Service is Unavailable 5-32 Granting Guest Access After Failed Authentication 5-32 Define an Identification Profile that Supports Guest Access 5-33 Use an Identification Profile that Supports Guest Access in a Policy 5-33 Configure How Guest User Details are Logged 5-33 Failed Authorization: Allowing Re-Authentication with Different Credentials 5-34 About Allowing Re-Authentication with Different Credentials 5-34 Allowing Re-Authentication with Different Credentials 5-34 Tracking Identified Users 5-34 Supported Authentication Surrogates for Explicit Requests 5-35 Supported Authentication Surrogates for Transparent Requests 5-35 Tracking Re-Authenticated Users 5-35

Credentials 5-36 Tracking Credentials for Reuse During a Session 5-36 Authentication and Authorization Failures 5-37 Credential Format 5-37 Credential Encryption for Basic Authentication 5-37 About Credential Encryption for Basic Authentication 5-37 Configuring Credential Encryption 5-37

Troubleshooting Authentication 5-38

Classify End-Users and Client Software 6-1 Overview of Classify Users and Client Software 6-1 Classify Users and Client Software: Best Practices 6-2 Identification Profile Criteria 6-2 Classifying Users and Client Software 6-3 Enable/Disable an Identity 6-8 Identification Profiles and Authentication 6-8 Troubleshooting Identification Profiles 6-10

AsyncOS 10.1 for Cisco Web Security Appliances User Guide

5

Contents

7 C H A P T E R

SaaS Access Control 7-1 Overview of SaaS Access Control 7-1 Configuring the Appliance as an Identity Provider 7-2 Using SaaS Access Control and Multiple Appliances 7-4 Creating SaaS Application Authentication Policies 7-4 Configuring End-user Access to the Single Sign-on URL 7-6

8 C H A P T E R

Integrate the Cisco Identity Services Engine 8-1 Overview of the Identity Services Engine Service 8-1 About pxGrid 8-1 About the ISE Server Deployment and Failover 8-2 Identity Services Engine Certificates 8-2 Using Self-signed Certificates 8-3 Using CA-signed Certificates 8-3 Tasks for Certifying and Integrating the ISE Service 8-3 Connect to the ISE Services 8-6 Troubleshooting Identity Services Engine Problems 8-7

9 C H A P T E R

Classify URLs for Policy Application 9-1

Overview of Categorizing URL Transactions 9-1 Categorization of Failed URL Transactions 9-2 Enabling the Dynamic Content Analysis Engine 9-2 Uncategorized URLs 9-2 Matching URLs to URL Categories 9-3 Reporting Uncategorized and Misclassified URLs 9-3 URL Categories Database 9-3

Configuring the URL Filtering Engine 9-4

Managing Updates to the Set of URL Categories 9-4 Understanding the Impacts of URL Category Set Updates 9-5 Effects of URL Category Set Changes on Policy Group Membership 9-5 Effects of URL Category Set Updates on Filtering Actions in Policies 9-5 Merged Categories - Examples 9-6 Controlling Updates to the URL Category Set 9-7 Manually Updating the URL Category Set 9-7 Default Settings for New and Changed Categories 9-8 Verifying Existing Settings and/or Making Changes 9-8 Receiving Alerts About Category and Policy Changes 9-8 Responding to Alerts about URL Category Set Updates 9-8

AsyncOS 10.1 for Cisco Web Security Appliances User Guide

6

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download