AsyncOS 8.6 for Cisco Web Security Appliances User Guide Published: March 3, 2015 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices. THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED ORIMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Ciscoand the Ciscologo are trademarks or registered trademarks of Ciscoand/or its affiliates in the U.S. and other countries. To view a list of Ciscotrademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Ciscoand any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. AsyncOS 8.6 for Cisco Web Security Appliances User Guide © 2014-2015 Cisco Systems, Inc. All rights reserved. C O N T E N T S CHAPTER 1 Introduction to the Product and the Release 1-1 Introduction to the Web Security Appliance 1-1 What’s New 1-1 What’s New in Cisco AsyncOS 8.6 1-2 1-2 What’s New in Cisco AsyncOS 8.5 1-2 Using the Appliance Web Interface 1-4 Web Interface Browser Requirements 1-4 Accessing the Appliance Web Interface 1-4 Committing Changes in the Web Interface 1-5 Clearing Changes in the Web Interface 1-5 The Cisco SensorBase Network 1-5 SensorBase Benefits and Privacy 1-5 Enabling Participation in The Cisco SensorBase Network 1-5 CHAPTER 2 Connect, Install, and Configure 2-1 Overview of Connect, Install, and Configure 2-1 Deploying a Virtual Appliance 2-1 Migrating from a Physical to a Virtual Appliance 2-2 Task Overview for Connecting, Installing, and Configuring 2-2 Connecting the Appliance 2-2 Gathering Setup Information 2-4 System Setup Wizard 2-6 System Setup Wizard Reference Information 2-7 Network / System Settings 2-7 Network / Network Context 2-8 Network / Network Interfaces and Wiring 2-9 Network / Routes for Management and Data Traffic 2-9 Network / Transparent Connection Settings 2-10 Network / Administrative Settings 2-10 Security / Security Settings 2-12 Upstream Proxies 2-12 AsyncOS 8.6 for Cisco Web Security Appliances User Guide 1 Contents Upstream Proxies Task Overview 2-13 Creating Proxy Groups for Upstream Proxies 2-13 Network Interfaces 2-14 IP Address Versions 2-14 Enabling or Changing Network Interfaces 2-15 Configuring Failover Groups for High Availability 2-17 Add Failover Group 2-17 Edit High Availability Global Settings 2-18 View Status of Failover Groups 2-18 Using the P2 Data Interface for Web Proxy Data 2-18 Configuring TCP/IP Traffic Routes 2-19 Modifying the Default Route 2-20 Adding a Route 2-21 Saving and Loading Routing Tables 2-21 Deleting a Route 2-21 Configuring Transparent Redirection 2-21 Specifying a Transparent Redirection Device 2-21 Configuring WCCP Services 2-22 Increasing Interface Capacity Using VLANs 2-25 Configuring and Managing VLANs 2-26 Redirect Hostname and System Hostname 2-30 Changing the Redirect Hostname 2-31 Changing the System Hostname 2-31 Configuring SMTP Relay Host Settings 2-31 Configuring an SMTP Relay Host 2-31 DNS Settings 2-32 Split DNS 2-32 Clearing the DNS Cache 2-32 Editing DNS Settings 2-33 Troubleshooting Connect, Install, and Configure 2-34 CHAPTER 3 Connect the Appliance to a Cisco Cloud Web Security Proxy 3-1 Overview of Connect the Appliance to a Cloud Web Security Proxy 3-1 Cloud Connector versus Standard Mode 3-2 Documentation 3-4 Deployment 3-5 Configuring the Cloud Connector 3-5 Step 1. Access the Web Interface for the Web Security Appliance 3-5 AsyncOS 8.6 for Cisco Web Security Appliances User Guide 2 Contents Step 2. Accept the License Agreement and Begin Setup. 3-5 Step 3. Configure System Settings: 3-6 Step 4. Set the Appliance Mode 3-6 Step 5. Configure Cloud Connector Settings 3-6 Step 6. Configure Network Interfaces and Wiring 3-7 Step 7. Configure Routes for Management and Data Traffic 3-7 Step 8. Configure Transparent Connection Settings 3-7 Step 9. Configure Administrative Settings 3-8 Step 10. Review and Install 3-8 Directory Group Policies in the Cloud 3-8 Sending Directory Groups to the Cloud 3-8 Bypassing the Cloud Proxy Server 3-9 FTP and HTTPS 3-9 FTP 3-9 HTTPS 3-10 Preventing Loss of Secure Data 3-10 Cloud Connector Logs 3-10 Subscribing to the Cloud Connector Logs 3-10 Identities and Authentication 3-11 Identifying Machines for Policy Application 3-11 Guest Access for Unauthenticated Users 3-12 Configuration Modes 3-12 Switching to Cloud Connector Mode 3-12 CHAPTER 4 Intercepting Web Requests 4-1 Overview of Intercepting Web Requests 4-1 Tasks for Intercepting Web Requests 4-2 Best Practices for Intercepting Web Requests 4-2 Web Proxy Options for Intercepting Web Requests 4-3 Configuring Web Proxy Settings 4-3 Web Proxy Cache 4-5 Clearing the Web Proxy Cache 4-5 Removing URLs from the Web Proxy Cache 4-6 Specifying Domains or URLs that the Web Proxy never Caches 4-6 Choosing The Web Proxy Cache Mode 4-7 Web Proxy IP Spoofing 4-8 Web Proxy Custom Headers 4-9 Adding Custom Headers To Web Requests 4-9 AsyncOS 8.6 for Cisco Web Security Appliances User Guide 3 Contents Web Proxy Bypassing 4-10 Web Proxy Bypassing for Web Requests 4-10 Configuring Web Proxy Bypassing for Web Requests 4-10 Configuring Web Proxy Bypassing for Applications 4-10 Web Proxy Usage Agreement 4-11 Client Options for Redirecting Web Requests 4-11 Using PAC Files with Client Applications 4-11 Options For Publishing Proxy Auto-Config (PAC) Files 4-11 Client Options For Finding Proxy Auto-Config (PAC) Files 4-12 Automatic PAC File Detection 4-12 Hosting PAC Files on the Web Security Appliance 4-12 Specifying PAC Files in Client Applications 4-13 Configuring a PAC File Location Manually in Clients 4-13 Detecting the PAC File Automatically in Clients 4-13 FTP Proxy Services 4-14 Overview of FTP Proxy Services 4-14 Enabling and Configuring the FTP Proxy 4-14 SOCKS Proxy Services 4-16 Overview of SOCKS Proxy Services 4-16 Enabling Processing of SOCKS Traffic 4-16 Configuring the SOCKS Proxy 4-17 Creating SOCKS Policies 4-17 Troubleshooting Intercepting Requests 4-18 CHAPTER 5 Acquire End-User Credentials 5-1 Overview of Acquire End-User Credentials 5-1 Authentication Task Overview 5-2 Authentication Best Practices 5-2 Credentials 5-2 Configuring Single-Sign-on 5-2 Tracking Credentials for Reuse During a Session 5-3 Authentication and Authorization Failures 5-3 Authentication Realms 5-3 External Authentication 5-3 Configuring External Authentication through an LDAP Server 5-4 Enabling RADIUS External Authentication 5-4 Creating an Active Directory Realm for Kerberos Authentication Scheme 5-4 Creating an Active Directory Authentication Realm 5-6 Creating an LDAP Authentication Realm 5-8 AsyncOS 8.6 for Cisco Web Security Appliances User Guide 4 Contents About Deleting Authentication Realms 5-13 Configuring Global Authentication Settings 5-13 Authentication Sequences 5-18 About Authentication Sequences 5-19 Creating Authentication Sequences 5-19 Editing And Reordering Authentication Sequences 5-20 Deleting Authentication Sequences 5-20 Failed Authentication 5-20 About Failed Authentication 5-21 Bypassing Authentication 5-21 Permitting Unauthenticated Traffic While Authentication Service is Unavailable 5-21 Granting Guest Access After Failed Authentication 5-22 Define an Identity that Supports Guest Access 5-22 Use an Identity that Supports Guest Access in a Policy 5-22 Configure How Guest User Details are Logged 5-23 Failed Authorization: Allowing Re-Authentication with Different Credentials 5-23 About Allowing Re-Authentication with Different Credentials 5-23 Allowing Re-Authentication with Different Credentials 5-23 Tracking Identified Users 5-24 Supported Authentication Surrogates for Explicit Requests 5-24 Supported Authentication Surrogates for Transparent Requests 5-24 Tracking Re-Authenticated Users 5-24 Credentials 5-25 Credential Format 5-25 Credential Encryption for Basic Authentication 5-25 About Credential Encryption for Basic Authentication 5-25 Configuring Credential Encryption 5-26 Troubleshooting Authentication 5-26 CHAPTER 6 Classify End-Users and Client Software 6-1 Overview of Classify Users and Client Software 6-1 Classify Users and Client Software: Best Practices 6-2 Identity Criteria 6-2 Classifying Users and Client Software 6-3 Identities and Authentication 6-8 Troubleshooting Identities 6-9 AsyncOS 8.6 for Cisco Web Security Appliances User Guide 5 Contents CHAPTER 7 SaaS Access Control 7-1 Overview of SaaS Access Control 7-1 Authenticate SaaS Users 7-2 Certificates and Keys 7-2 Configuring the Appliance as an Identity Provider 7-2 Using SaaS Access Control and Multiple Appliances 7-4 Creating SaaS Application Authentication Policies 7-4 Configuring End-user Access to the Single Sign-on URL 7-6 CHAPTER 8 Classify URLs for Policy Application 8-1 Overview of Categorizing URL Transactions 8-1 Categorization of Failed URL Transactions 8-2 Enabling the Dynamic Content Analysis Engine 8-2 Uncategorized URLs 8-2 Matching URLs to URL Categories 8-3 Reporting Uncategorized and Misclassified URLs 8-3 URL Categories Database 8-3 Configuring the URL Filtering Engine 8-4 Managing Updates to the Set of URL Categories 8-4 Understanding the Impacts of URL Category Set Updates 8-5 Effects of URL Category Set Changes on Policy Group Membership 8-5 Effects of URL Category Set Updates on Filtering Actions in Policies 8-5 Merged Categories - Examples 8-6 Controlling Updates to the URL Category Set 8-7 Manually Updating the URL Category Set 8-7 Default Settings for New and Changed Categories 8-8 Verifying Existing Settings and/or Making Changes 8-8 Receiving Alerts About Category and Policy Changes 8-8 Responding to Alerts about URL Category Set Updates 8-8 Filtering Transactions Using URL Categories 8-9 Configuring URL Filters for Access Policy Groups 8-9 Configuring URL Filters for Decryption Policy Groups 8-11 Configuring URL Filters for Data Security Policy Groups 8-12 Creating and Editing Custom URL Categories 8-13 Filtering Adult Content 8-15 Enforcing Safe Searches and Site Content Ratings 8-15 Logging Adult Content Access 8-16 Redirecting Traffic in the Access Policies 8-17 AsyncOS 8.6 for Cisco Web Security Appliances User Guide 6 Contents Logging and Reporting 8-17 Warning Users and Allowing Them to Continue 8-17 Configuring Settings for the End-User Filtering Warning Page 8-18 Creating Time Based URL Filters 8-19 Viewing URL Filtering Activity 8-19 Understanding Unfiltered and Uncategorized Data 8-19 Access Log File 8-20 Regular Expressions 8-20 Forming Regular Expressions 8-20 Guidelines for Avoiding Validation Failures 8-21 Regular Expression Character Table 8-22 URL Category Descriptions 8-23 CHAPTER 9 Create Policies to Control Internet Requests 9-1 Overview of Policies: Control Intercepted Internet Requests 9-1 Managing Web Requests Through Policies Task Overview 9-2 Managing Web Requests Through Policies Best Practices 9-2 Policies 9-2 Policy Types 9-3 Policy Order 9-5 Creating a Policy 9-5 Policy Configuration 9-6 Block, Allow, or Redirect Transaction Requests 9-7 Client Applications 9-7 About Client Applications 9-7 Using Client Applications in Policies 9-8 Exempting Client Applications from Authentication 9-9 Time Ranges and Quotas 9-9 Volume Quota Calculations 9-10 Time Quota Calculations 9-10 Access Control by URL Category 9-10 Creating Custom URL Categories 9-11 Using URL Categories to Identify Web Requests 9-12 Using URL Categories to Action Web Request 9-12 Remote Users 9-13 About Remote Users 9-13 Configuring Identification for Remote Users 9-14 Configuring Identification of Remote Users 9-14 AsyncOS 8.6 for Cisco Web Security Appliances User Guide 7 Contents Display Remote User Status and Statistics for ASAs 9-15 Troubleshooting Policies 9-15 CHAPTER 10 Create Decryption Policies to Control HTTPSTraffic 10-1 Overview of Create Decryption Policies to Control HTTP Traffic 10-1 Managing HTTPS Traffic through Decryption Policies Task Overview 10-2 Managing HTTPS Traffic through Decryption Policies BestPractices 10-2 Decryption Policies 10-2 Enabling the HTTPS Proxy 10-3 Controlling HTTPS Traffic 10-4 Configuring Decryption Options 10-4 Authentication and HTTPS Connections 10-5 Root Certificates 10-5 Managing Certificate Validation and Decryption for HTTPS 10-6 Valid Certificates 10-6 Invalid Certificate Handling 10-6 Uploading a Root Certificate and Key 10-7 Generating a Certificate and Key 10-7 Configuring Invalid Certificate Handling 10-8 Options for Certificate Revocation Status Checking 10-9 Enabling Real-Time Revocation Status Checking 10-9 Trusted Root Certificates 10-10 Adding Certificates to the Trusted List 10-10 Removing Certificates from the Trusted List 10-11 Routing HTTPS Traffic 10-11 Troubleshooting Decryption/HTTPS/Certificates 10-11 CHAPTER 11 Scan Outbound Traffic for Existing Infections 11-1 Overview of Scanning Outbound Traffic 11-1 User Experience with Blocked Requests 11-1 Understanding Upload Requests 11-2 Criteria for Group Membership 11-2 Matching Client Requests to Outbound Malware Scanning Policy Groups 11-2 Creating Outbound Malware Scanning Policies 11-3 Controlling Upload Requests 11-4 Logging 11-6 AsyncOS 8.6 for Cisco Web Security Appliances User Guide 8