Cisco IronPort AsyncOS 7.1 for Web User Guide November, 2010 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-23207-01 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED ORIMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCDE, CCENT, CCSI, CiscoEos, CiscoHealthPresence, CiscoIronPort, the Ciscologo, CiscoNurse Connect, CiscoPulse, CiscoSensorBase, CiscoStackPower, CiscoStadiumVision, CiscoTelePresence, CiscoUnified Computing System, CiscoWebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, CiscoCapital, CiscoCapital (Design), Cisco:Financed (Stylized), CiscoStore, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the CiscoCertified Internetwork Expert logo, CiscoIOS, CiscoLumin, CiscoNexus, CiscoPress, CiscoSystems, CiscoSystems Capital, the CiscoSystems logo, CiscoUnity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco IronPort AsyncOS 7.1 for Web User Guide © 2010 Cisco Systems, Inc. All rights reserved. C O N T E N T S CHAPTER 1 Getting Started with the Web Security Appliance 1-1 What’s New in This Release 1-1 New Feature: Web Reporting and Web Tracking 1-2 New Feature: Centralized Reporting 1-2 New Feature: Anonymized Usernames on Reporting Pages 1-3 Enhanced: Reports 1-3 What’s New in Version 7.0 1-3 New Feature: Cisco AnyConnect Secure Mobility 1-3 New Feature: Application Visibility and Control 1-4 New Feature: Safe Search and Site Content Rating Enforcement 1-5 New Feature: Bandwidth Control for Streaming Media 1-5 New Feature: HTTP Instant Messaging Controls 1-6 New Feature: SaaS Access Control 1-6 New Feature: Sophos Anti-Virus Scanning 1-7 New Feature: Transparent User Identification for Novell eDirectory 1-7 New Feature: Outbound Malware Scanning 1-7 New Feature: Application Scanning Bypass 1-8 New Feature: Allow User One Login at a Time 1-8 New Feature: WBRS Threat Details 1-9 New Feature: What’s New In This Release 1-9 Enhanced: Per Identity Authentication Settings 1-9 Enhanced: PAC File Hosting 1-9 Enhanced: Reports 1-10 Enhanced: Advancedproxyconfig CLI Command 1-10 Cisco IronPort AsyncOS 7.1 for Web User Guide OL-23207-01 iii Contents Enhanced: Logging 1-10 How to Use This Guide 1-11 Before You Begin 1-11 Typographic Conventions 1-12 Where to Find More Information 1-13 Documentation Set 1-13 IronPort Technical Training 1-13 Knowledge Base 1-13 Cisco Support Community 1-14 Cisco IronPort Customer Support 1-15 Third Party Contributors 1-15 IronPort Welcomes Your Comments 1-15 Web Security Appliance Overview 1-16 CHAPTER 2 Using the Web Security Appliance 2-1 How the Web Security Appliance Works 2-1 Web Proxy 2-1 The L4 Traffic Monitor 2-2 Administering the Web Security Appliance 2-2 System Setup Wizard 2-3 Accessing the Web Security Appliance 2-3 Using the Command Line Interface (CLI) 2-4 Using an Ethernet Connection 2-4 Using a Serial Connection 2-5 The SenderBase Network 2-5 Sharing Data 2-6 Reporting and Logging 2-6 Navigating the Web Security Appliance Web Interface 2-7 Logging In 2-9 Cisco IronPort AsyncOS 7.1 for Web User Guide iv OL-23207-01 Contents Browser Requirements 2-10 Support Languages 2-10 Reporting Tab 2-11 Web Security Manager Tab 2-11 Security Services Tab 2-12 Network Tab 2-13 System Administration Tab 2-13 Committing and Clearing Changes 2-14 Committing and Clearing Changes in the Web Interface 2-14 Committing Changes 2-15 Clearing Changes 2-15 Committing and Clearing Changes in the CLI 2-16 CHAPTER 3 Deployment 3-1 Deployment Overview 3-1 Preparing for Deployment 3-2 Appliance Interfaces 3-3 Management Interface 3-4 Data Interfaces 3-4 L4 Traffic Monitor Interfaces 3-5 Example Deployment 3-5 Deploying the Web Proxy in Explicit Forward Mode 3-6 Configuring Client Applications 3-7 Connecting Appliance Interfaces 3-7 Testing an Explicit Forward Configuration 3-7 Deploying the Web Proxy in Transparent Mode 3-7 Connecting Appliance Interfaces 3-8 Connecting the Appliance to a WCCP Router 3-8 Configuring the Web Security Appliance 3-9 Cisco IronPort AsyncOS 7.1 for Web User Guide OL-23207-01 v Contents Configuring the WCCP Router 3-9 Example WCCP Configurations 3-11 Example 1 3-11 Example 2 3-12 Example 3 3-14 Working with Multiple Appliances and Routers 3-15 Using the Web Security Appliance in an Existing Proxy Environment 3-15 Transparent Upstream Proxy 3-15 Explicit Forward Upstream Proxy 3-16 Deploying the L4 Traffic Monitor 3-16 Connecting the L4 Traffic Monitor 3-17 Configuring an L4 Traffic Monitor Wiring Type 3-18 Physical Dimensions 3-18 CHAPTER 4 Installation and Configuration 4-1 Before You Begin 4-1 Connecting a Laptop to the Appliance 4-2 Connecting the Appliance to the Network 4-2 Gathering Setup Information 4-4 DNS Support 4-6 System Setup Wizard 4-6 Accessing the System Setup Wizard 4-8 Step 1. Start 4-8 Step 2. Network 4-9 Step 3. Security 4-22 Step 4. Review 4-26 CHAPTER 5 Web Proxy Services 5-1 About Web Proxy Services 5-1 Cisco IronPort AsyncOS 7.1 for Web User Guide vi OL-23207-01 Contents Web Proxy Cache 5-2 Configuring the Web Proxy 5-3 Working with FTP Connections 5-8 Using Authentication with Native FTP 5-9 Working with Native FTP in Transparent Mode 5-10 Configuring FTP Proxy Settings 5-11 Bypassing the Web Proxy 5-15 How the Proxy Bypass List Works 5-17 Using WCCP with the Proxy Bypass List 5-18 Bypassing Application Scanning 5-18 Proxy Usage Agreement 5-18 Configuring Client Applications to Use the Web Proxy 5-19 Working with PAC Files 5-19 PAC File Format 5-21 Creating a PAC File for Remote Users 5-22 Specifying the PAC File in Browsers 5-22 Entering the PAC File Location 5-22 Detecting the PAC File Location Automatically 5-23 Adding PAC Files to the Web Security Appliance 5-24 Specifying the PAC File URL 5-25 Uploading PAC Files to the Appliance 5-28 Understanding WPAD Compatibility with Netscape and Firefox 5-29 Advanced Proxy Configuration 5-30 Authentication Options 5-32 Caching Options 5-39 DNS Options 5-42 EUN Options 5-44 NATIVEFTP Options 5-44 FTPOVERHTTP Options 5-47 Cisco IronPort AsyncOS 7.1 for Web User Guide OL-23207-01 vii Contents HTTPS Options 5-48 Scanning Options 5-49 WCCP Options 5-49 Miscellaneous Options 5-50 CHAPTER 6 Working with Policies 6-1 Working with Policies Overview 6-1 Policy Types 6-3 Identities 6-3 Decryption Policies 6-4 Routing Policies 6-4 Access Policies 6-4 IronPort Data Security Policies 6-5 External DLP Policies 6-5 Outbound Malware Scanning Policies 6-6 SaaS Application Authentication Policies 6-6 Working with Policy Groups 6-6 Creating Policy Groups 6-7 Using the Policies Tables 6-7 Policy Group Membership 6-10 Authenticating Users versus Authorizing Users 6-10 Working with Failed Authentication and Authorization 6-11 Working with All Identities 6-12 Policy Group Membership Rules and Guidelines 6-12 Working with Time Based Policies 6-13 Creating Time Ranges 6-14 Working with User Agent Based Policies 6-16 Configuring User Agents for Policy Group Membership 6-16 Exempting User Agents from Authentication 6-18 Cisco IronPort AsyncOS 7.1 for Web User Guide viii OL-23207-01 Contents Tracing Policies 6-18 CHAPTER 7 Identities 7-1 Identities Overview 7-1 Evaluating Identity Group Membership 7-2 Understanding How Authentication Affects Identity Groups 7-4 Understanding How Authentication Affects HTTPS and FTP over HTTP Requests 7-6 Understanding How Authentication Scheme Affects Identity Groups 7-9 Matching Client Requests to Identity Groups 7-10 Allowing Guest Access to Users Who Fail Authentication 7-13 Identifying Users Transparently 7-16 Understanding Transparent User Identification 7-17 Rules and Guidelines 7-18 Configuring Transparent User Identification 7-19 Creating Identities 7-20 Configuring Identities in Other Policy Groups 7-28 Example Identity Policies Tables 7-31 Example 1 7-31 Example 2 7-33 CHAPTER 8 Access Policies 8-1 Access Policies Overview 8-1 Access Policy Groups 8-2 Understanding the Monitor Action 8-3 Evaluating Access Policy Group Membership 8-4 Matching Client Requests to Access Policy Groups 8-5 Creating Access Policies 8-7 Controlling HTTP and Native FTP Traffic 8-11 Cisco IronPort AsyncOS 7.1 for Web User Guide OL-23207-01 ix Contents Protocols and User Agents 8-14 URL Categories 8-15 Applications 8-15 Object Blocking 8-16 Web Reputation and Anti-Malware 8-17 Blocking Specific Applications and Protocols 8-18 Blocking on Port 80 8-18 Policy: Protocols and User Agents 8-18 Policy: URL Categories 8-20 Policy: Objects 8-21 Blocking on Ports Other Than 80 8-21 CHAPTER 9 Working with External Proxies 9-1 Working with External Proxies Overview 9-1 Routing Traffic to Upstream Proxies 9-2 Adding External Proxy Information 9-3 Evaluating Routing Policy Group Membership 9-5 Matching Client Requests to Routing Policy Groups 9-6 Creating Routing Policies 9-8 CHAPTER 10 Decryption Policies 10-1 Decryption Policies Overview 10-1 Decryption Policy Groups 10-3 Personally Identifiable Information Disclosure 10-4 Understanding the Monitor Action 10-5 Digital Cryptography Terms 10-6 HTTPS Basics 10-8 SSL Handshake 10-9 Digital Certificates 10-9 Cisco IronPort AsyncOS 7.1 for Web User Guide x OL-23207-01
Description: