ebook img

AsyncOS 8.7 for Cisco Web Security Appliances User Guide PDF

455 Pages·2015·3.44 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview AsyncOS 8.7 for Cisco Web Security Appliances User Guide

AsyncOS 8.7 for Cisco Web Security Appliances User Guide Published: March 31, 2015 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices. THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED ORIMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Ciscoand the Ciscologo are trademarks or registered trademarks of Ciscoand/or its affiliates in the U.S. and other countries. To view a list of Ciscotrademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Ciscoand any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. AsyncOS 8.7 for Cisco Web Security Appliances User Guide © 2015 Cisco Systems, Inc. All rights reserved. C O N T E N T S CHAPTER 1 Introduction to the Product and the Release 1-1 Introduction to the Web Security Appliance 1-1 What’s New 1-1 What’s New in Cisco AsyncOS 8.7 1-2 Requirements and Restrictions for AsyncOS 8.7 1-2 What’s New in Cisco AsyncOS 8.5 1-2 Using the Appliance Web Interface 1-4 Web Interface Browser Requirements 1-4 Accessing the Appliance Web Interface 1-4 Committing Changes in the Web Interface 1-5 Clearing Changes in the Web Interface 1-5 The Cisco SensorBase Network 1-5 SensorBase Benefits and Privacy 1-5 Enabling Participation in The Cisco SensorBase Network 1-6 CHAPTER 2 Connect, Install, and Configure 2-1 Overview of Connect, Install, and Configure 2-1 Deploying a Virtual Appliance 2-1 Migrating from a Physical to a Virtual Appliance 2-2 Task Overview for Connecting, Installing, and Configuring 2-2 Connecting the Appliance 2-2 Gathering Setup Information 2-4 System Setup Wizard 2-6 System Setup Wizard Reference Information 2-7 Network / System Settings 2-7 Network / Network Context 2-8 Network / Network Interfaces and Wiring 2-9 Network / Routes for Management and Data Traffic 2-9 Network / Transparent Connection Settings 2-10 Network / Administrative Settings 2-10 Security / Security Settings 2-12 Upstream Proxies 2-12 AsyncOS 8.7 for Cisco Web Security Appliances User Guide 1 Contents Upstream Proxies Task Overview 2-13 Creating Proxy Groups for Upstream Proxies 2-13 Network Interfaces 2-14 IP Address Versions 2-14 Enabling or Changing Network Interfaces 2-15 Configuring Failover Groups for High Availability 2-17 Add Failover Group 2-17 Edit High Availability Global Settings 2-18 View Status of Failover Groups 2-18 Using the P2 Data Interface for Web Proxy Data 2-18 Configuring TCP/IP Traffic Routes 2-19 Modifying the Default Route 2-20 Adding a Route 2-21 Saving and Loading Routing Tables 2-21 Deleting a Route 2-21 Configuring Transparent Redirection 2-21 Specifying a Transparent Redirection Device 2-21 Configuring WCCP Services 2-22 Increasing Interface Capacity Using VLANs 2-25 Configuring and Managing VLANs 2-25 Redirect Hostname and System Hostname 2-29 Changing the Redirect Hostname 2-30 Changing the System Hostname 2-30 Configuring SMTP Relay Host Settings 2-30 Configuring an SMTP Relay Host 2-31 DNS Settings 2-31 Split DNS 2-31 Clearing the DNS Cache 2-32 Editing DNS Settings 2-32 Troubleshooting Connect, Install, and Configure 2-33 CHAPTER 3 Connect the Appliance to a Cisco Cloud Web Security Proxy 3-1 Overview of Connect the Appliance to a Cloud Web SecurityProxy 3-1 Cloud Connector versus Standard Mode 3-2 Documentation Links 3-4 Deployment 3-4 Configuring the Cloud Connector 3-5 Step 1. Access the Web Interface for the Web Security Appliance 3-5 AsyncOS 8.7 for Cisco Web Security Appliances User Guide 2 Contents Step 2. Accept the License Agreement and Begin Setup. 3-5 Step 3. Configure System Settings: 3-5 Step 4. Set the Appliance Mode 3-5 Step 5. Configure Cloud Connector Settings 3-6 Step 6. Configure Network Interfaces and Wiring 3-6 Step 7. Configure Routes for Management and Data Traffic 3-7 Step 8. Configure Transparent Connection Settings 3-7 Step 9. Configure Administrative Settings 3-8 Step 10. Review and Install 3-8 Directory Group Policies in the Cloud 3-8 Sending Directory Groups to the Cloud 3-8 Bypassing the Cloud Proxy Server 3-9 FTP and HTTPS 3-9 FTP 3-9 HTTPS 3-9 Preventing Loss of Secure Data 3-10 Cloud Connector Logs 3-10 Subscribing to the Cloud Connector Logs 3-10 Identification Profiles and Authentication 3-11 Identifying Machines for Policy Application 3-11 Guest Access for Unauthenticated Users 3-12 Configuration Modes 3-12 Switching to Cloud Connector Mode 3-12 CHAPTER 4 Intercepting Web Requests 4-1 Overview of Intercepting Web Requests 4-1 Tasks for Intercepting Web Requests 4-2 Best Practices for Intercepting Web Requests 4-2 Web Proxy Options for Intercepting Web Requests 4-3 Configuring Web Proxy Settings 4-3 Web Proxy Cache 4-5 Clearing the Web Proxy Cache 4-5 Removing URLs from the Web Proxy Cache 4-6 Specifying Domains or URLs that the Web Proxy never Caches 4-6 Choosing The Web Proxy Cache Mode 4-7 Web Proxy IP Spoofing 4-8 Web Proxy Custom Headers 4-9 Adding Custom Headers To Web Requests 4-9 AsyncOS 8.7 for Cisco Web Security Appliances User Guide 3 Contents Web Proxy Bypassing 4-10 Web Proxy Bypassing for Web Requests 4-10 Configuring Web Proxy Bypassing for Web Requests 4-10 Configuring Web Proxy Bypassing for Applications 4-10 Web Proxy Usage Agreement 4-11 Client Options for Redirecting Web Requests 4-11 Using PAC Files with Client Applications 4-11 Options For Publishing Proxy Auto-Config (PAC) Files 4-11 Client Options For Finding Proxy Auto-Config (PAC) Files 4-12 Automatic PAC File Detection 4-12 Hosting PAC Files on the Web Security Appliance 4-12 Specifying PAC Files in Client Applications 4-13 Configuring a PAC File Location Manually in Clients 4-13 Detecting the PAC File Automatically in Clients 4-13 FTP Proxy Services 4-14 Overview of FTP Proxy Services 4-14 Enabling and Configuring the FTP Proxy 4-14 SOCKS Proxy Services 4-16 Overview of SOCKS Proxy Services 4-16 Enabling Processing of SOCKS Traffic 4-16 Configuring the SOCKS Proxy 4-17 Creating SOCKS Policies 4-17 Troubleshooting Intercepting Requests 4-18 CHAPTER 5 Acquire End-User Credentials 5-1 Overview of Acquire End-User Credentials 5-1 Authentication Task Overview 5-2 Authentication Best Practices 5-2 Authentication Planning 5-2 Active Directory/Kerberos 5-3 Active Directory/Basic 5-4 Active Directory/NTLMSSP 5-5 LDAP/Basic 5-5 Identifying Users Transparently 5-5 Understanding Transparent User Identification 5-6 Rules and Guidelines 5-9 Configuring Transparent User Identification 5-9 Using the CLI to Configure Advanced Transparent User Identification Settings 5-9 Configuring Single-Sign-on 5-10 AsyncOS 8.7 for Cisco Web Security Appliances User Guide 4 Contents Authentication Realms 5-10 External Authentication 5-11 Configuring External Authentication through an LDAP Server 5-11 Enabling RADIUS External Authentication 5-11 Creating an Active Directory Realm for Kerberos Authentication Scheme 5-12 Creating an Active Directory Authentication Realm (NTLMSSP and Basic) 5-14 Creating an LDAP Authentication Realm 5-16 About Deleting Authentication Realms 5-20 Configuring Global Authentication Settings 5-20 Authentication Sequences 5-25 About Authentication Sequences 5-26 Creating Authentication Sequences 5-26 Editing And Reordering Authentication Sequences 5-27 Deleting Authentication Sequences 5-27 Failed Authentication 5-27 About Failed Authentication 5-28 Bypassing Authentication 5-28 Permitting Unauthenticated Traffic While Authentication Service is Unavailable 5-28 Granting Guest Access After Failed Authentication 5-29 Define an Identification Profile that Supports Guest Access 5-29 Use an Identification Profile that Supports Guest Access in a Policy 5-29 Configure How Guest User Details are Logged 5-30 Failed Authorization: Allowing Re-Authentication with Different Credentials 5-30 About Allowing Re-Authentication with Different Credentials 5-30 Allowing Re-Authentication with Different Credentials 5-30 Tracking Identified Users 5-31 Supported Authentication Surrogates for Explicit Requests 5-31 Supported Authentication Surrogates for Transparent Requests 5-31 Tracking Re-Authenticated Users 5-32 Credentials 5-32 Tracking Credentials for Reuse During a Session 5-32 Authentication and Authorization Failures 5-33 Credential Format 5-33 Credential Encryption for Basic Authentication 5-33 About Credential Encryption for Basic Authentication 5-33 Configuring Credential Encryption 5-33 Troubleshooting Authentication 5-34 AsyncOS 8.7 for Cisco Web Security Appliances User Guide 5 Contents CHAPTER 6 Classify End-Users and Client Software 6-1 Overview of Classify Users and Client Software 6-1 Classify Users and Client Software: Best Practices 6-2 Identification Profile Criteria 6-2 Classifying Users and Client Software 6-3 Enable/Disable an Identity 6-8 Identification Profiles and Authentication 6-8 Troubleshooting Identification Profiles 6-9 CHAPTER 7 SaaS Access Control 7-1 Overview of SaaS Access Control 7-1 Configuring the Appliance as an Identity Provider 7-2 Using SaaS Access Control and Multiple Appliances 7-4 Creating SaaS Application Authentication Policies 7-4 Configuring End-user Access to the Single Sign-on URL 7-6 CHAPTER 8 Integrate the Cisco Identity Services Engine 8-1 Overview of the Identity Services Engine Service 8-1 Identity Services Engine Certificates 8-1 Tasks for Integrating the Identity Services Engine Service 8-2 Connect to the Identity Services Engine Service 8-4 Troubleshooting Identity Services Engine Problems 8-4 CHAPTER 9 Classify URLs for Policy Application 9-1 Overview of Categorizing URL Transactions 9-1 Categorization of Failed URL Transactions 9-2 Enabling the Dynamic Content Analysis Engine 9-2 Uncategorized URLs 9-2 Matching URLs to URL Categories 9-3 Reporting Uncategorized and Misclassified URLs 9-3 URL Categories Database 9-3 Configuring the URL Filtering Engine 9-4 Managing Updates to the Set of URL Categories 9-4 Understanding the Impacts of URL Category Set Updates 9-5 Effects of URL Category Set Changes on Policy Group Membership 9-5 Effects of URL Category Set Updates on Filtering Actions in Policies 9-5 Merged Categories - Examples 9-6 AsyncOS 8.7 for Cisco Web Security Appliances User Guide 6 Contents Controlling Updates to the URL Category Set 9-7 Manually Updating the URL Category Set 9-7 Default Settings for New and Changed Categories 9-8 Verifying Existing Settings and/or Making Changes 9-8 Receiving Alerts About Category and Policy Changes 9-8 Responding to Alerts about URL Category Set Updates 9-8 Filtering Transactions Using URL Categories 9-9 Configuring URL Filters for Access Policy Groups 9-9 Configuring URL Filters for Decryption Policy Groups 9-11 Configuring URL Filters for Data Security Policy Groups 9-12 Creating and Editing Custom URL Categories 9-13 Filtering Adult Content 9-15 Enforcing Safe Searches and Site Content Ratings 9-15 Logging Adult Content Access 9-16 Redirecting Traffic in the Access Policies 9-17 Logging and Reporting 9-17 Warning Users and Allowing Them to Continue 9-17 Configuring Settings for the End-User Filtering Warning Page 9-18 Creating Time Based URL Filters 9-19 Viewing URL Filtering Activity 9-19 Understanding Unfiltered and Uncategorized Data 9-19 Access Log File 9-20 Regular Expressions 9-20 Forming Regular Expressions 9-20 Guidelines for Avoiding Validation Failures 9-21 Regular Expression Character Table 9-22 URL Category Descriptions 9-23 CHAPTER 10 Create Policies to Control Internet Requests 10-1 Overview of Policies: Control Intercepted Internet Requests 10-1 Managing Web Requests Through Policies Task Overview 10-2 Managing Web Requests Through Policies Best Practices 10-2 Policies 10-2 Policy Types 10-3 Policy Order 10-5 Creating a Policy 10-5 Adding and Editing Secure Group Tags for a Policy 10-8 Policy Configuration 10-8 AsyncOS 8.7 for Cisco Web Security Appliances User Guide 7 Contents Block, Allow, or Redirect Transaction Requests 10-9 Client Applications 10-10 About Client Applications 10-10 Using Client Applications in Policies 10-10 Exempting Client Applications from Authentication 10-12 Time Ranges and Volume Quotas 10-12 Volume Quota Calculations 10-13 Time Quota Calculations 10-13 Defining Time and Volume Quotas 10-13 Access Control by URL Category 10-14 Creating Custom URL Categories 10-14 Using URL Categories to Identify Web Requests 10-15 Using URL Categories to Action Web Request 10-16 Remote Users 10-16 About Remote Users 10-17 Configuring Identification for Remote Users 10-17 Configuring Identification of Remote Users 10-17 Display Remote User Status and Statistics for ASAs 10-18 Troubleshooting Policies 10-19 CHAPTER 11 Create Decryption Policies to Control HTTPSTraffic 11-1 Overview of Create Decryption Policies to Control HTTP Traffic 11-1 Managing HTTPS Traffic through Decryption Policies Task Overview 11-2 Managing HTTPS Traffic through Decryption Policies BestPractices 11-2 Decryption Policies 11-2 Enabling the HTTPS Proxy 11-3 Controlling HTTPS Traffic 11-4 Configuring Decryption Options 11-4 Authentication and HTTPS Connections 11-5 Root Certificates 11-5 Managing Certificate Validation and Decryption for HTTPS 11-6 Valid Certificates 11-6 Invalid Certificate Handling 11-6 Uploading a Root Certificate and Key 11-7 Generating a Certificate and Key 11-7 Configuring Invalid Certificate Handling 11-8 Options for Certificate Revocation Status Checking 11-9 Enabling Real-Time Revocation Status Checking 11-9 Trusted Root Certificates 11-10 AsyncOS 8.7 for Cisco Web Security Appliances User Guide 8

Description:
CHAPTER 1. Introduction to CHAPTER 2. Connect Connect the Appliance to a Cisco Cloud Web Security Proxy 3-1. Overview Configure Administrative Settings 3-8. Step 10. Configuring Global Authentication Settings 5-20.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.