AsyncOS 9.1 for Cisco Web Security Appliances User Guide Published: March 14, 2016 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices. THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED ORIMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Ciscoand the Ciscologo are trademarks or registered trademarks of Ciscoand/or its affiliates in the U.S. and other countries. To view a list of Ciscotrademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Ciscoand any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. AsyncOS 9.1 for Cisco Web Security Appliances User Guide © 2016 Cisco Systems, Inc. All rights reserved. C O N T E N T S CHAPTER 1 Introduction to the Product and the Release 1-1 Introduction to the Web Security Appliance 1-1 What’s New 1-1 Using the Appliance Web Interface 1-1 Web Interface Browser Requirements 1-2 Enabling Access to the Web Interface on Virtual Appliances 1-2 Accessing the Appliance Web Interface 1-2 Committing Changes in the Web Interface 1-3 Clearing Changes in the Web Interface 1-3 The Cisco SensorBase Network 1-3 SensorBase Benefits and Privacy 1-4 Enabling Participation in The Cisco SensorBase Network 1-4 CHAPTER 2 Connect, Install, and Configure 2-1 Overview of Connect, Install, and Configure 2-1 Deploying a Virtual Appliance 2-2 Migrating from a Physical to a Virtual Appliance 2-2 Task Overview for Connecting, Installing, and Configuring 2-2 Connecting the Appliance 2-2 Gathering Setup Information 2-4 System Setup Wizard 2-5 System Setup Wizard Reference Information 2-6 Network / System Settings 2-6 2-7 Network / Network Interfaces and Wiring 2-7 2-7 Network / Routes for Management and Data Traffic 2-8 Network / Transparent Connection Settings 2-8 Network /Administrative Settings 2-8 Comparison of Modes of Operation 2-9 Upstream Proxies 2-9 Upstream Proxies Task Overview 2-10 AsyncOS 9.1 for Cisco Web Security Appliances User Guide 1 Contents Creating Proxy Groups for Upstream Proxies 2-10 Network Interfaces 2-11 IP Address Versions 2-11 Enabling or Changing Network Interfaces 2-12 Configuring Failover Groups for High Availability 2-14 Add Failover Group 2-14 Edit High Availability Global Settings 2-15 View Status of Failover Groups 2-15 Using the P2 Data Interface for Web Proxy Data 2-15 Configuring TCP/IP Traffic Routes 2-16 Modifying the Default Route 2-17 Adding a Route 2-18 Saving and Loading Routing Tables 2-18 Deleting a Route 2-18 Configuring Transparent Redirection 2-18 Specifying a Transparent Redirection Device 2-18 Configuring WCCP Services 2-19 Increasing Interface Capacity Using VLANs 2-22 Configuring and Managing VLANs 2-22 Redirect Hostname and System Hostname 2-24 Changing the Redirect Hostname 2-25 Changing the System Hostname 2-25 Configuring SMTP Relay Host Settings 2-25 Configuring an SMTP Relay Host 2-26 DNS Settings 2-26 Split DNS 2-26 Clearing the DNS Cache 2-26 Editing DNS Settings 2-27 Troubleshooting Connect, Install, and Configure 2-28 CHAPTER 3 Connect the Appliance to a Cisco Cloud Web Security Proxy 3-1 Comparison of Cloud Connector Mode and Standard Mode 3-1 How to Configure and Use Features in Cloud Connector Mode 3-4 Deployment in Cloud Connector Mode 3-4 Configuring the Cloud Connector 3-5 Controlling Web Access Using Directory Groups in the Cloud 3-8 Bypassing the Cloud Proxy Server 3-8 Partial Support for FTP and HTTPS in Cloud Connector Mode 3-8 AsyncOS 9.1 for Cisco Web Security Appliances User Guide 2 Contents Preventing Loss of Secure Data 3-9 Viewing Group and User Names and IP Addresses 3-9 Subscribing to Cloud Connector Logs 3-9 Identification Profiles and Authentication with Cloud Web Security Connector 3-10 Identifying Machines for Policy Application 3-10 Guest Access for Unauthenticated Users 3-11 CHAPTER 4 Intercepting Web Requests 4-1 Overview of Intercepting Web Requests 4-1 Tasks for Intercepting Web Requests 4-2 Best Practices for Intercepting Web Requests 4-2 Web Proxy Options for Intercepting Web Requests 4-3 Configuring Web Proxy Settings 4-3 Web Proxy Cache 4-5 Clearing the Web Proxy Cache 4-5 Removing URLs from the Web Proxy Cache 4-5 Specifying Domains or URLs that the Web Proxy never Caches 4-6 Choosing The Web Proxy Cache Mode 4-7 Web Proxy IP Spoofing 4-8 Web Proxy Custom Headers 4-8 Adding Custom Headers To Web Requests 4-8 Web Proxy Bypassing 4-9 Web Proxy Bypassing for Web Requests 4-9 Configuring Web Proxy Bypassing for Web Requests 4-10 Configuring Web Proxy Bypassing for Applications 4-10 Web Proxy Usage Agreement 4-10 Client Options for Redirecting Web Requests 4-10 Troubleshooting Intercepting Requests 4-11 CHAPTER 5 Acquire End-User Credentials 5-1 Overview of Acquire End-User Credentials 5-1 Authentication Task Overview 5-2 Authentication Best Practices 5-2 Authentication Planning 5-2 Active Directory/Kerberos 5-3 Active Directory/Basic 5-4 Active Directory/NTLMSSP 5-5 LDAP/Basic 5-5 AsyncOS 9.1 for Cisco Web Security Appliances User Guide 3 Contents Identifying Users Transparently 5-5 Understanding Transparent User Identification 5-6 Rules and Guidelines for Transparent User Identification 5-9 Configuring Transparent User Identification 5-9 Using the CLI to Configure Advanced Transparent User Identification Settings 5-9 Configuring Single-Sign-on 5-10 Authentication Realms 5-11 External Authentication 5-11 Configuring External Authentication through an LDAP Server 5-11 Enabling RADIUS External Authentication 5-12 Creating an Active Directory Realm for Kerberos Authentication Scheme 5-12 How to Create an Active Directory Authentication Realm (NTLMSSP and Basic) 5-14 Prerequisites for Creating an Active Directory Authentication Realm (NTLMSSP and Basic) 5-14 About Using Multiple NTLM Realms and Domains 5-14 Creating an Active Directory Authentication Realm (NTLMSSP and Basic) 5-15 Creating an LDAP Authentication Realm 5-16 About Deleting Authentication Realms 5-21 Configuring Global Authentication Settings 5-21 Authentication Sequences 5-26 About Authentication Sequences 5-27 Creating Authentication Sequences 5-27 Editing And Reordering Authentication Sequences 5-28 Deleting Authentication Sequences 5-28 Failed Authentication 5-28 About Failed Authentication 5-29 Bypassing Authentication with Problematic User Agents 5-29 Bypassing Authentication 5-31 Permitting Unauthenticated Traffic While Authentication Service is Unavailable 5-31 Granting Guest Access After Failed Authentication 5-31 Define an Identification Profile that Supports Guest Access 5-32 Use an Identification Profile that Supports Guest Access in a Policy 5-32 Configure How Guest User Details are Logged 5-32 Failed Authorization: Allowing Re-Authentication with Different Credentials 5-33 About Allowing Re-Authentication with Different Credentials 5-33 Allowing Re-Authentication with Different Credentials 5-33 Tracking Identified Users 5-33 Supported Authentication Surrogates for Explicit Requests 5-34 Supported Authentication Surrogates for Transparent Requests 5-34 Tracking Re-Authenticated Users 5-34 AsyncOS 9.1 for Cisco Web Security Appliances User Guide 4 Contents Credentials 5-35 Tracking Credentials for Reuse During a Session 5-35 Authentication and Authorization Failures 5-36 Credential Format 5-36 Credential Encryption for Basic Authentication 5-36 About Credential Encryption for Basic Authentication 5-36 Configuring Credential Encryption 5-36 Troubleshooting Authentication 5-37 CHAPTER 6 Classify End-Users and Client Software 6-1 Overview of Classify Users and Client Software 6-1 Classify Users and Client Software: Best Practices 6-2 Identification Profile Criteria 6-2 Classifying Users and Client Software 6-3 Enable/Disable an Identity 6-8 Identification Profiles and Authentication 6-8 Troubleshooting Identification Profiles 6-9 CHAPTER 7 SaaS Access Control 7-1 Overview of SaaS Access Control 7-1 Configuring the Appliance as an Identity Provider 7-2 Using SaaS Access Control and Multiple Appliances 7-4 Creating SaaS Application Authentication Policies 7-4 Configuring End-user Access to the Single Sign-on URL 7-6 CHAPTER 8 Integrate the Cisco Identity Services Engine 8-1 Overview of the Identity Services Engine Service 8-1 About pxGrid 8-1 About the ISE Server Deployment and Failover 8-2 Identity Services Engine Certificates 8-2 Using Self-signed Certificates 8-3 Using CA-signed Certificates 8-3 Tasks for Certifying and Integrating the ISE Service 8-3 Connect to the ISE Services 8-6 Troubleshooting Identity Services Engine Problems 8-7 AsyncOS 9.1 for Cisco Web Security Appliances User Guide 5 Contents CHAPTER 9 Classify URLs for Policy Application 9-1 Overview of Categorizing URL Transactions 9-1 Categorization of Failed URL Transactions 9-2 Enabling the Dynamic Content Analysis Engine 9-2 Uncategorized URLs 9-2 Matching URLs to URL Categories 9-3 Reporting Uncategorized and Misclassified URLs 9-3 URL Categories Database 9-3 Configuring the URL Filtering Engine 9-4 Managing Updates to the Set of URL Categories 9-4 Understanding the Impacts of URL Category Set Updates 9-5 Effects of URL Category Set Changes on Policy Group Membership 9-5 Effects of URL Category Set Updates on Filtering Actions in Policies 9-5 Merged Categories - Examples 9-6 Controlling Updates to the URL Category Set 9-7 Manually Updating the URL Category Set 9-7 Default Settings for New and Changed Categories 9-8 Verifying Existing Settings and/or Making Changes 9-8 Receiving Alerts About Category and Policy Changes 9-8 Responding to Alerts about URL Category Set Updates 9-8 Filtering Transactions Using URL Categories 9-9 Configuring URL Filters for Access Policy Groups 9-9 Configuring URL Filters for Decryption Policy Groups 9-11 Configuring URL Filters for Data Security Policy Groups 9-12 Creating and Editing Custom URL Categories 9-13 Filtering Adult Content 9-15 Enforcing Safe Searches and Site Content Ratings 9-15 Logging Adult Content Access 9-16 Redirecting Traffic in the Access Policies 9-17 Logging and Reporting 9-17 Warning Users and Allowing Them to Continue 9-17 Configuring Settings for the End-User Filtering Warning Page 9-18 Creating Time Based URL Filters 9-19 Viewing URL Filtering Activity 9-19 Understanding Unfiltered and Uncategorized Data 9-19 URL Category Logging in Access Logs 9-20 Regular Expressions 9-20 Forming Regular Expressions 9-20 AsyncOS 9.1 for Cisco Web Security Appliances User Guide 6 Contents Guidelines for Avoiding Validation Failures 9-21 Regular Expression Character Table 9-22 URL Category Descriptions 9-23 CHAPTER 10 Create Policies to Control Internet Requests 10-1 Overview of Policies: Control Intercepted Internet Requests 10-1 Managing Web Requests Through Policies Task Overview 10-2 Managing Web Requests Through Policies Best Practices 10-2 Policies 10-2 Policy Types 10-3 Policy Order 10-5 Creating a Policy 10-5 Adding and Editing Secure Group Tags for a Policy 10-8 Policy Configuration 10-8 Block, Allow, or Redirect Transaction Requests 10-9 Client Applications 10-10 About Client Applications 10-10 Using Client Applications in Policies 10-10 Exempting Client Applications from Authentication 10-11 Time Ranges and Volume Quotas 10-12 Volume Quota Calculations 10-12 Time Quota Calculations 10-13 Defining Time and Volume Quotas 10-13 Access Control by URL Category 10-14 Creating Custom URL Categories 10-14 Using URL Categories to Identify Web Requests 10-15 Using URL Categories to Action Web Request 10-16 Remote Users 10-16 About Remote Users 10-17 How to Configure Identification of Remote Users 10-17 Configuring Identification of Remote Users 10-17 Display Remote User Status and Statistics for ASAs 10-18 Troubleshooting Policies 10-19 CHAPTER 11 Create Decryption Policies to Control HTTPSTraffic 11-1 Overview of Create Decryption Policies to Control HTTPS Traffic 11-1 Managing HTTPS Traffic through Decryption Policies Task Overview 11-2 Managing HTTPS Traffic through Decryption Policies BestPractices 11-2 AsyncOS 9.1 for Cisco Web Security Appliances User Guide 7 Contents Decryption Policies 11-2 Enabling the HTTPS Proxy 11-3 Controlling HTTPS Traffic 11-4 Configuring Decryption Options 11-4 Authentication and HTTPS Connections 11-5 Root Certificates 11-5 Managing Certificate Validation and Decryption for HTTPS 11-6 Valid Certificates 11-6 Invalid Certificate Handling 11-6 Uploading a Root Certificate and Key 11-7 Generating a Certificate and Key for the HTTPS Proxy 11-7 Configuring Invalid Certificate Handling 11-8 Options for Certificate Revocation Status Checking 11-9 Enabling Real-Time Revocation Status Checking 11-9 Trusted Root Certificates 11-10 Adding Certificates to the Trusted List 11-10 Removing Certificates from the Trusted List 11-11 Routing HTTPS Traffic 11-11 Troubleshooting Decryption/HTTPS/Certificates 11-11 CHAPTER 12 Scan Outbound Traffic for Existing Infections 12-1 Overview of Scanning Outbound Traffic 12-1 User Experience When Requests Are Blocked by the DVS Engine 12-1 Understanding Upload Requests 12-2 Criteria for Group Membership 12-2 Matching Client Requests to Outbound Malware Scanning Policy Groups 12-2 Creating Outbound Malware Scanning Policies 12-3 Controlling Upload Requests 12-4 Logging of DVS Scanning 12-6 CHAPTER 13 Configuring Security Services 13-1 Overview of Configuring Security Services 13-1 Overview of Web Reputation Filters 13-2 Web Reputation Scores 13-2 Understanding How Web Reputation Filtering Works 13-2 Web Reputation in Access Policies 13-3 Web Reputation in Decryption Policies 13-4 Web Reputation in Cisco IronPort Data Security Policies 13-4 AsyncOS 9.1 for Cisco Web Security Appliances User Guide 8