Web Security Using Cisco WSA

Web Security Using Cisco WSA
Technology Design Guide

August 2014 Series
Table of Contents
Preface.........................................................................................................................................1
CVD Navigator..............................................................................................................................2
Use Cases................................................................................................................................... 2
Scope.......................................................................................................................................... 2
Proficiency................................................................................................................................... 2
Introduction..................................................................................................................................3
Technology Use Case.................................................................................................................. 3
Use Case: Manage the Safe Use of Web-based and Social Networking Applications
with an On-premise Security Appliance.................................................................................. 3
Design Overview.......................................................................................................................... 4
Deployment Details ......................................................................................................................6

Configuring Cisco WSA........................................................................................................... 8
High Availability and Resilience.............................................................................................. 27
Additional Information................................................................................................................. 38
Monitoring ............................................................................................................................ 38
Troubleshooting .................................................................................................................... 38
Summary .............................................................................................................................. 38
Appendix A: Product List............................................................................................................39
Appendix B: Changes.................................................................................................................41
Table of Contents
Preface
Cisco Validated Designs (CVDs) present systems that are based on common use cases or engineering priorities.
CVDs incorporate a broad set of technologies, features, and applications that address customer needs. Cisco
engineers have comprehensively tested and documented each design in order to ensure faster, more reliable,
and fully predictable deployment.
CVDs include two guide types that provide tested design details:
• Technology design guides provide deployment details, information about validated products and
software, and best practices for specific types of technology.
• Solution design guides integrate existing CVDs but also include product features and functionality
across Cisco products and sometimes include information about third-party integration.
Both CVD types provide a tested starting point for Cisco partners or customers to begin designing and deploying
systems.
CVD Foundation Series

This CVD Foundation guide is a part of the August 2014 Series. As Cisco develops a CVD Foundation series,
the guides themselves are tested together, in the same network lab. This approach assures that the guides in a
series are fully compatible with one another. Each series describes a lab-validated, complete system.
The CVD Foundation series incorporates wired and wireless LAN, WAN, data center, security, and network
management technologies. Using the CVD Foundation simplifies system integration, allowing you to select
solutions that solve an organization’s problems—without worrying about the technical complexity.
To ensure the compatibility of designs in the CVD Foundation, you should use guides that belong to the same
release. For the most recent CVD Foundation guides, please visit the CVD Foundation web site.
Comments and Questions

If you would like to comment on a guide or ask questions, please use the feedback form.
Preface August 2014 Series

1
CVD Navigator
The CVD Navigator helps you determine the applicability of this guide by summarizing its key elements: the use cases, the
scope or breadth of the technology covered, the proficiency or experience recommended, and CVDs related to this guide.
This section is a quick reference only. For more details, see the Introduction.
Use Cases
This guide addresses the following technology use cases: Related CVD Guides
• Manage the Safe Use of Web-Based and Social Networking
Applications with an On-premise Security Appliance—All
web traffic from the primary-site and remote-site networks Firewall and IPS Technology
accesses the Internet through a centralized Cisco Adaptive VALIDATED
DESIGN Design Guide
Security Appliance (ASA) firewall. Cisco Web Security
Appliance (WSA) complements the deep packet inspection
and stateful filtering capabilities of the firewall by providing
additional web security using a dedicated on-premises
Cloud Web Security
appliance.
VALIDATED
DESIGN Using Cisco ASA
Technology Design Guide
For more information, see the "Use Cases" section in this guide.
Scope Remote Mobile Access

VALIDATED
DESIGN Technology Design Guide
This guide covers the following areas of technology and products:
• Cisco ASA 5500-X Series Adaptive Security Appliances for
Internet edge firewall security
• Cisco Web Security Appliance for granular control over all web
content that is accessed
• Integration of the above with the LAN switching infrastructure
For more information, see the "Design Overview" section in this

guide.
Proficiency
This guide is for people with the following technical proficiencies—or
equivalent experience:
• CCNA Routing and Switching—1 to 3 years installing,
configuring, and maintaining routed and switched networks
• CCNA Security—1 to 3 years installing, monitoring, and
troubleshooting network devices to maintain integrity,
confidentiality, and availability of data and devices
To view the related CVD guides, click the titles
or visit the CVD Foundation web site.
CVD Navigator August 2014 Series

2
Introduction
Technology Use Case
Web access is a requirement for the day-to-day functions of most organizations. The challenge is maintaining
appropriate web access for everyone in the organization while minimizing unacceptable or risky use. A solution is
needed to control policy-based web access to ensure employees work effectively and confirm that personal web
activity does not waste bandwidth, affect productivity, or expose the organization to undue risk.
One risk associated with Internet access for the organization is the pervasive threat that exists from accessing
sites and content. As the monetary gain for malicious activities on the Internet has grown and developed, the
methods used to affect these malicious and or illegal activities has grown and become more sophisticated.
Botnets, one of the greatest threats that exist in the Internet today, are malicious Internet servers (mostly web)
being used to host content that then attacks innocent user’s browsers as they view the content. These types
of attacks have been used very successfully by “bot herders” to gather in millions of infected members that
are subject to the whims of the people who now control their machines. Other threats include the still popular
and very broad threats of viruses and trojans, in which a user receives a file in some manner and is tricked into
running it, and the file then executes malicious code. The third variant uses directed attacks over the network.
Examples of these attacks are the Internet worms that gathered so much attention in the early to mid-2000s.
Use Case: Manage the Safe Use of Web-based and Social Networking Applications
with an On-premise Security Appliance
All web traffic from the primary site and any remote-site networks access the Internet through a centralized
Cisco ASA firewall. Cisco Web Security Appliance (WSA) complements the deep packet inspection and stateful
filtering capabilities of the firewall by providing additional web security using a dedicated on-premises appliance.
This design guide enables the following security capabilities:

• Transparent redirection of user web traffic—Through the seamless integration with the Cisco ASA
firewall, web traffic is transparently redirected to Cisco WSA service. No configuration changes are
required on user devices.
• Web filtering—Cisco WSA supports filters based on predefined content categories, as well as custom
categories. The filtering rules can be configured to block, monitor or warn based on the specific web
usage policies of an organization.
• Malware protection—Cisco WSA analyzes every web request to determine if content is malicious.
Cisco WSA updates its malware protection policies by using the Cisco Security Intelligence Operations
(SIO), which is designed to help organizations secure business applications and processes through
identification, prevention, and remediation of threats.
• Differentiated policies—Policies for Cisco WSA are applied on a per-group basis. Group membership is
determined by identity, which can include authenticated user information or the source IP address of the
web request.
Introduction August 2014 Series

3
Design Overview
Cisco Web Security Appliance (WSA) addresses the need for a corporate web security policy by offering a
combination of web usage controls with category and reputation-based control, malware filtering, and data
protection.
Figure 1 - Web security deployment
Browsing websites can be risky, and many websites inadvertently end up distributing compromised or malicious
content as a result of inattention to update requirements or lax security configurations. The websites that serve the
compromised and malicious content are constantly changing as human-operated and worm-infested computers
scan the Internet in search of additional web servers that they can infect in order to continue propagating. This
dynamic environment introduces significant challenges to maintain up-to-date Internet threat profiles.
The Cisco WSA family is a web proxy that works with other Cisco network components such as firewalls, routers,
or switches in order to monitor and control web content requests from within the organization. It also scrubs the
return traffic for malicious content.
Figure 2 - Logical traffic flow using Cisco WSA

4
Cisco WSA is connected by one interface to the inside network of the Cisco Adaptive Security Appliance (ASA).
In the Internet edge design, Cisco WSA connects to the same LAN switch as the Cisco ASA appliance and on
the same VLAN as the inside interface of the appliance. Cisco ASA redirects HTTP and HTTPS connections to
Cisco WSA by using the Web Cache Communication Protocol (WCCP).
Cisco WSA uses several mechanisms to apply web security and content control. Cisco WSA begins with basic
URL-filtering with predefined, category-based web usage controls. These controls are based on an active
database that includes analysis of sites in 190 countries and over 50 languages. Content is filtered by the
reputation database. The Cisco Security Intelligence Operations updates the reputation database every five
minutes. These updates contain threat information gleaned from multiple Internet-based resources, as well as
content reputation information obtained from customers with Cisco security appliances that choose to participate
in the Cisco SenderBase network. If no details of the website or its content are known, Cisco WSA applies
dynamic content analysis to determine the nature of the content in real time, and findings are fed back to the
SenderBase repository if the customer has elected to participate.
Cisco WSA uses an on-premise appliance for web security that is similar in function to Cisco Cloud Web Security
(CWS), which is a cloud-based method of implementing web security. This guide is focused on the deployment
of Cisco WSA.
Cisco WSA inspects the content for remote-access VPN connected users in both the integrated (seen in Figure
3 on the left) and standalone (seen in Figure 3 on the right) deployment models as described in the Remote
Access VPN Technology Design Guide.
Figure 3 - Web security for remote-access VPN

5
Deployment Details
How to Read Commands
This guide uses the following conventions for Commands at a CLI or script prompt:
commands that you enter at the command-line Router# enable
interface (CLI).
Long commands that line wrap are underlined.
Commands to enter at a CLI prompt: Enter them as one command:
configure terminal police rate 10000 pps burst 10000
packets conform-action
Commands that specify a value for a variable:
ntp server 10.10.48.17 Noteworthy parts of system output (or of device
configuration files) are highlighted:
Commands with variables that you must define: interface Vlan64
class-map [highest class name] ip address 10.5.204.5 255.255.255.0
The first step to planning the Cisco WSA deployment is to determine how to redirect web traffic to the appliance.
There are two possible methods to accomplish the redirection of traffic to Cisco WSA: transparent proxy mode
and explicit proxy mode.
In a transparent proxy deployment, a WCCP v2-capable network device redirects all TCP traffic with a
destination of port 80 or 443 to Cisco WSA, without any configuration on the client. The transparent proxy
deployment is used in this design guide, and the Cisco ASA firewall is used to redirect traffic to the appliance
because all of the outbound web traffic passes through the device and is generally managed by the same
operations staff who manage the Cisco WSA.
In an explicit proxy deployment, a client application, such as a web browser, is configured to use an HTTP
proxy, such as Cisco WSA. From an application support standpoint, this method introduces the least amount of
complications, as the proxy-aware applications know about and work with Cisco WSA directly to provide the
requested content. However, from a deployment standpoint, the explicit proxy method presents challenges as
to how the administrator configures every client in the organization with the Cisco WSA proxy settings and how
they configure devices not under the organization’s control. Web Proxy Auto-Discovery and proxy automatic
configuration scripts, along with other tools, such as Microsoft Group and System policy controls within Microsoft
Active Directory, make deploying this method simpler, but a discussion of those tools is beyond the scope of this
guide.
It is possible to use both options—explicit proxy and transparent proxy—at the same time on a single Cisco WSA
appliance. Explicit proxy is also a good way to test the Cisco WSA configuration, as explicit proxy mode does not
depend on anything else in the network to function.
Deployment Details August 2014 Series

6
The next step in planning a Cisco WSA deployment is to determine what type of physical topology you are going
to use. Cisco WSA has multiple interfaces and can be configured in different ways. In the Internet edge designs,
Cisco WSA is deployed using a single interface for both proxy and management traffic.
Figure 4 - Internet Edge Topology for Cisco Validated Designs
Internet
Internet Edge
Internet
Routers
RA-VPN Firewall Guest
Wireless LAN
Controller
DMZ
Switch
Web
Security
Appliance DMZ
Servers
Email Security
Appliance
VPN WAN
Aggregation
WAN
Routers
Remote Site Wireless

LAN Controllers
WAAS
3011
To Core
A single Cisco WSA appliance was deployed in the Internet edge design to support up to 5,000 users. For
those who need either additional performance or resilience, a simple upgrade solution is possible by adding
an additional appliance. When deployed in high availability mode, the two appliances load-share the outgoing
connections. If one device fails, the load is moved to the other appliance. It is possible that network performance
could be degraded if one device is handling the load that was designed for two, but Internet web access remains
available and protected.

7
Configuring Cisco WSA
1. Configure DNS entries
2. Configure the distribution switch
3. Connect to the Cisco WSA
4. Configure management access to the Cisco WSA
5. Configure DNS entry for WSA
6. Complete the System Setup Wizard
PROCESS
7. Install system updates

8. Install the feature keys
9. Update web usage controls and test
10. Enable logging
11. Create custom URL categories
12. Configure access policies
13. Configure WCCP on Cisco WSA
14. Configure WCCP on the firewall
15. Configure default tunnel gateway
16. Set up HTTPS proxy
17. Configure authentication
Before you begin the Cisco WSA deployment, you need to configure the DNS.
Procedure 1 Configure DNS entries
Prepare for the following configuration procedures by creating the DNS records that are required for
communication. The DNS address (A) record provides a Fully Qualified Domain Name (FQDN) to IP addressing
mapping and the DNS pointer record (PTR) provides an IP to FQDN mapping, also known as a reverse lookup.
Configure your internal DNS server to advertise the records listed in Table 1.
Table 1 - Example DNS A and PTR records (Internal DNS)
Fully-Qualified Domain Name IP Address

ie-wsa-s100v.cisco.local 10.4.24.15

8
Procedure 2 Configure the distribution switch
The LAN distribution switch is the path to the organization’s internal network. As configured in the Firewall and
IPS Technology Design Guide, a unique VLAN supports the Internet edge devices and the routing protocol peers
with the appliances across this network.
Reader Tip
Before you continue, ensure that the distribution switch has been configured following
the guidance in the Campus Wired LAN Technology Design Guide.
Option 1: Switch connection to physical WSA
Step 1: Configure the interfaces that are connected to the distribution switch.
interface GigabitEthernet1/0/22
description WSAs100v M1 Management interface
switchport access vlan 300
switchport host
macro apply EgressQoS
logging event link-status
no shutdown
Option 2: Switch connection to virtual WSA (vWSA) within a VMware ESXi server
Step 1: Configure the interface(s) connected to the server.

interface GigabitEthernet1/4/20
description IE-C220M3-2 port 2
switchport
switchport access vlan 300
switchport mode access
logging event link-status
macro description EgressQoSOneGig
service-policy type lan-queuing output 1P3Q8T
no shutdown
Procedure 3 Connect to the Cisco WSA
Option 1: Stand-alone, physical Cisco WSA
Step 1: Connect a standard null modem cable, with the terminal emulator settings of 8-1-none-9600 baud, to
the appliance’s serial console port.

9
Option 2: Cisco vWSA on VMware ESXi
Step 1: Using vSphere, right-click on the server name of the vWSA and select Open Console.
Tech Tip
The default username is admin, and the default password is ironport.
Procedure 4 Configure management access to the Cisco WSA
ironport.example.com> interfaceconfig
Currently configured interfaces:

1. Management (192.168.42.42/24 on Management: ironport.example.com)
Choose the operation you want to perform:

- NEW - Create a new interface.
- EDIT - Modify an interface.
- DELETE - Remove an interface.
[]>EDIT
Enter the number of the interface you wish to edit.

[]> 1
IP Address (Ex: 192.168.1.2):

[192.168.42.42]> 10.4.24.15
Netmask (Ex: "255.255.255.0" or "0xffffff00"):

[255.255.255.0]> 255.255.255.224
Would you like to configure an IPv6 address for this interface (y/n)? [N]> N
Hostname:
[ironport.example.com]> WSAs100v.cisco.local
Do you want to enable FTP on this interface? [Y]> y
Which port do you want to use for FTP?
[21]> 21
Do you want to enable SSH on this interface? [Y]> y

Which port do you want to use for SSH?
[22]> 22
Do you want to enable HTTP on this interface? [Y]> y

Which port do you want to use for HTTP?
[8080]> 8080
Do you want to enable HTTPS on this interface? [Y]> y

10
Which port do you want to use for HTTPS?
[8443]> 8443
You have not entered an HTTPS certificate. To assure privacy, run "certconfig"
first. You may use the demo, but this will not be secure.
Do you really wish to use a demo certificate? [Y]> y
Both HTTP and HTTPS are enabled for this interface, should HTTP requests redirect
to the secure service? [Y]> y
The interface you edited might be the one you are currently logged into. Are you
sure you want to change it? [Y]> y
Currently configured interfaces:

1. Management (10.4.24.15/27 on Management: WSAs100v.cisco.local)
Choose the operation you want to perform:

- NEW - Create a new interface.
- EDIT - Modify an interface.
- DELETE - Remove an interface.
[]> <Return>
Tech Tip
The appliance console displays the following message, which corresponds to the
default IP address of the Cisco WSA appliance:
Please run System Setup Wizard at http://192.168.42.42:8080
Do not connect to the GUI at this address.
ironport.example.com> setgateway
Warning: setting an incorrect default gateway may cause the current

connection to be interrupted when the changes are committed.
Set the default gateway for:
1. IPv4
2. IPv6
Enter new default gateway:

[ ]> 10.4.24.1
ironport.example.com> commit
Please enter some comments describing your changes:

[]> initial setup
Changes committed: Thu Dec 06 23:31:13 2012 GMT

11
After you configure Cisco WSA, it should be able to ping devices on the network, assuming appropriate network
access has been created (on the firewall, if needed). The following output is a capture of Cisco WSA pinging its
default gateway:
WSA.cisco.local> ping 10.4.24.1
Press Ctrl-C to stop.
PING 10.4.24.1 (10.4.24.1): 56 data bytes
64 bytes from 10.4.24.1: icmp_seq=0 ttl=255 time=0.497 ms
^C
Procedure 5 Configure DNS entry for WSA
Step 1: Prepare for the following configuration procedures by creating the DNS record required for
communication with the WSA. The DNS address (A) record provides a Fully Qualified Domain Name (FQDN) to
IP addressing mapping and the DNS pointer record (PTR) provides an IP to FQDN mapping, also known as a
reverse lookup.
Configure your internal DNS server to advertise the record listed inTable 2.
Table 2 - Example DNS A and PTR Records for WSA
FQDN IP address
IE-WSA-s100v.cisco.local 10.4.24.15
Procedure 6 Complete the System Setup Wizard
It is recommended that you configure only the basic network settings, DNS information, time settings, and
username/password information through the System Setup Wizard, and you configure the more advanced
settings in the respective sections in the UI.
The System Setup Wizard screens and options vary by code version. Depending on the starting code version of
the appliance that you are configuring, the screens may differ from those shown below.
Step 1: From a client on the internal network, navigate and log in to the appliance. The GUI uses HTTPS on port
8443. (Example: https://10.4.24.15:8443).
Tech Tip
The default username is admin, and the default password is ironport.
Step 2: Log in, and then navigate to System Administration > System Setup Wizard.
Step 3: On the Start page, read the license, click I accept, and then click Begin Setup.

12
Step 4: On the System Settings page, in the Default System Hostname box, enter the appliance hostname.
(Example: IE-WSA-S100V.cisco.local)
Step 5: Select Use these DNS Servers, and then enter the internal DNS server. (Example: 10.4.48.10).
Step 6: In the NTP Server box, enter the internal NTP server. (Example: 10.4.48.17)
Step 7: For the time zone, enter the following information, and then click Next:
• Region—America
• Country—United States
• Time Zone / GMT Offset—Pacific Time (Los_Angeles)
Step 8: For the Appliance Mode of Operation, select the Standard radio button; then click Next.
Step 9: On the Network Context page, click Next.
Step 10: On the Network Interfaces and Wiring page, click Next. When you completed Procedure 4, “Configure
management access to the Cisco WSA,” you completed the necessary configuration for this page.
Tech Tip
In this deployment, for simplicity, M1 is used for both management and proxy services
and is the only interface used. Do not select Use M1 port for Management only. Do
not use interface P1.

13
Figure 5 - Appliance View of Network Interfaces
Figure 6 - Virtual WSA View of Network Interfaces
Step 11: On the Routes for Management and Data Traffic page, click Next. When you completed Procedure 4,
“Configure management access to the Cisco WSA,” you completed the necessary configuration for this page.
Step 12: On the Transparent Connections Settings page, click Next.
Step 13: On the Administrative Settings page, in the Administrator Password box, enter and confirm the
administrator password.

14
Step 14: In the Email system alerts to box, enter the administrator’s email address (Example: admin@cisco.
local).
Step 15: In the Send Email via SMTP Relay Host box, enter the internal mail server (Example: internal-
exchange.cisco.local), and then click Next.
Tech Tip
On this page, you can also elect to participate in the Cisco SenderBase network and
select a participation level.
Step 16: On the Security Settings page, use the default settings, and then click Next.
Step 17: On the Review page, review the configuration, and then click Install This Configuration.
Step 18: The virtual machine will now try to re-establish the web page using the new machine name you set in
this procedure. Check your DNS entries if it cannot connect.

15
Procedure 7 Install system updates
It is important to look at system upgrades for Cisco WSA before going any further. HTTP or HTTPS Internet
access for the appliance is required in order to proceed.
Tech Tip
It is not possible to downgrade software versions, so be certain that an upgrade

is desired before proceeding. It is possible that an appliance can receive different
upgrade options if it is on an early release list.
Step 1: Navigate to System Administration > System Upgrade. The display shows the current software version.
Step 2: Click Available Upgrades.
If newer versions are available, they should be selected and installed. In general, all upgrades should be installed.
Each upgrade usually requires a reboot of the appliance. The entire process can take some time.
Procedure 8 Install the feature keys
It is important to install the feature keys for Cisco WSA before going any further. HTTP or HTTPS Internet access
for the appliance is required in order to proceed. When installing feature keys, Cisco WSA makes a connection
to the license service and submits a query to see if it has all the features it is allowed to run. It is very likely that
after upgrading code, especially if many upgrades were applied, there will be missing feature keys.
Step 1: Navigate to System Administration > Feature Keys.
Step 2: Click Check for New Keys.
The figure below shows what an appliance feature key display may look like after being upgraded to the latest
version of code and then checking for updated feature keys.
Tech Tip
If the appliance is missing keys or the duration of the keys is not correct, contact a
trusted partner or Cisco reseller to resolve the issue. Have the appliance serial number
available. You can find the serial number at the top of the Feature Key page.
Procedure 9 Update web usage controls and test
Step 1: Navigate to Security Services > Acceptable Use Controls.
Step 2: Click Update Now, and then wait until the page reports back success.

16
Step 3: Ensure that at least some of the controls have an update that is current or very nearly so.
Tech Tip
Due to randomness of update schedules, it is impossible to know when updates

will come out for each component. The Web Categories Prefix Filters and the Web
Categories List are updated fairly often and show recent update histories.
Step 4: Set up a client on the inside of the network with Cisco WSA as the explicit proxy in the web browser of
their choice. Use the IP address of the appliance as the proxy, and then set the port to 3128.
Step 5: Test two different addresses, as follows:

• One address should be resolvable externally, for instance www.cisco.com, which should return without issue.
This proves the client has Internet access but does not prove the connection is going through Cisco WSA.
• The other address should be something not resolvable externally. This request should return an error
from Cisco WSA, not the browser; proving that Cisco WSA is serving the content.
Cisco WSA returns an error like that shown below:

17
If the web request is not directed to Cisco WSA, your web browser returns an error. An example with the
Firefox browser returns an error like that shown below:
Procedure 10 Enable logging
To monitor web usage, the appliance stores client access data for a relatively short duration and it rotates
logs for space reasons. For users looking for long-term compliance reporting, they should look into the Cisco
solution that comes as part of the Cisco Content Security Management Appliance. This guide does not cover the
installation or use of the Cisco Content Security Management Appliance.
For the reporting product to work, Cisco WSA needs to send its logs to an FTP server where the reporting
device can access them. For this deployment, it is assumed that an FTP server is already deployed and
configured. The following configuration moves the access logs off of Cisco WSA and onto an FTP server.
Step 1: Navigate to System Administration > Log Subscriptions, and then click Add Log Subscription.
Step 2: On the New Log Subscription page, add the new logging information, click Submit, and then click
Commit Changes.

18
Step 3: In the Uncommitted Changes pane, enter a comment to describe the change, and then click Commit
Changes.
Procedure 11 Create custom URL categories
Next, you set up standard custom URL categories that most administrators find they need to implement for their
desired URL filtering.
Step 1: Navigate to Web Security Manager > Custom URL Categories, and then click Add Custom Category.
You create four placeholder categories for different action exceptions.
Step 2: In the Edit Custom URL Category pane, in the Category Name box, enter Block List.
Step 3: In the Sites box, enter a placeholder URL (Example: block.com), and then click Submit.
Tech Tip
A placeholder URL (block.com) has to be entered because it is not possible to create

a category and have it be empty. In the future, when a URL is found that needs to be
blocked, add it to the list, and then delete the placeholder.
Step 4: Create three more lists by repeating Step 1 through Step 3. In the Category Name box, name the new
lists Monitor List, Warn List, and Allow List. The List Order value increments with each new category; use the
suggested value.

19
This creates an ordered list of custom categories.
Step 5: Click Commit Changes.
Changes.
Procedure 12 Configure access policies
Now that you have created the custom URL categories, you need to enable them for use and define actions for
each.
Step 1: Navigate to Web Security Manager > Access Policies, and then under URL Filtering, click the link.
Step 2: Click Select Custom Categories. The policies created in the previous procedure appear.
Step 3: For each custom URL category, in the Setting Selection list, choose Include in Policy, and then click
Apply.

20
Step 4: On the Access Policies: URL Filtering: Global Policy page, click in the appropriate boxes in order to
change the action of the category to correspond with its name. (Example: Block should be the action for the
Block List category, and Monitor should be the action for the Monitor List category.)
Step 5: Click Submit.
Additionally, on the Access Policies page, the organization’s web-acceptable use policy can be implemented.
This policy can include the category of the URL (adult, sports, or streaming media), the actions desired (monitor,
warn, or block), as well as whether a time-based factor is involved.
Step 6: On the Access Policies page, under URL Filtering, click the link.
Step 7: For testing purposes, next to Gambling select Block, next to Sports and Recreation select Warn, and
then click Submit. You may need to scroll to see all predefined URL categories.
Changes.

21
Step 10: Using a browser explicitly pointing to the appliance, browse to a well-known gambling site. Cisco WSA
should return the following message:
Procedure 13 Configure WCCP on Cisco WSA
Now that Cisco WSA is working and applying an access policy for HTTP traffic, you can implement WCCP on the
appliance and the appliance firewall. Implementing WCCP allows the Cisco WSA appliance to begin to receive
traffic transparently (redirected from the firewall) instead of having browsers configured to use Cisco WSA as an
explicit proxy.
Step 1: Navigate to Network > Transparent Redirection, and then click Edit Device.
Step 2: In the Type list, choose WCCP v2 Router, and then click Submit.
Step 3: In the Transparent Redirection pane, under WCCPv2 Services, click Add Service.
Step 4: In the WCCP v2 Service pane, ensure the Service Profile Name is HTTP_and_HTTPS_WCCP.
Step 5: In the Service section, in the Dynamic service ID box, enter 90. This is the number used to define this
policy and is the ID used by Cisco ASA to request the policy.

22
Step 6: In the Port numbers box, enter 80, 443. In this policy, redirect ports are HTTP and HTTPS.
Step 7: In the Router IP Addresses box, enter the IP address of the inside interface of your firewall (Example:
10.4.24.30) and then click Submit.
Tech Tip
HTTPS proxy has not yet been set up on Cisco WSA, so if WCCP redirect were to
be initiated for HTTPS immediately, those connections would fail. If the Cisco WSA or
Cisco ASA deployment is live and operational and cannot have downtime, create an
additional policy for just HTTP temporarily. After configuring the HTTPS policy on the
Cisco WSA, change the policy used on Cisco ASA to instead reference the HTTP and
HTTPS policy.
Step 8: If you want to create an HTTP-only policy, repeat Step 3 through Step 7 using the following information:
• Service Profile Name—Standard_HTTP_Only_WCCP
• Service—Standard Service ID
• Router IP Addresses—10.4.24.30
After completion, the WCCP services panel should look like the following figure.
Changes.
Procedure 14 Configure WCCP on the firewall
The WCCP policy configured redirects all HTTP and HTTPS traffic to Cisco WSA. This includes any traffic from
the inside network to the DMZ web servers and any device management traffic that uses HTTP or HTTPS. It
is unnecessary to send any of this traffic to Cisco WSA. To avoid having any of this traffic redirected to Cisco
WSA, you must create an access control list (ACL) on the firewall in order to filter out any HTTP or HTTPS traffic
destined to RFC 1918 addresses.
Reader Tip
This procedure assumes that the Internet edge firewall has already been configured
following the guidance in Firewall and IPS Design Guide.

23
Step 1: From a client on the internal network, navigate to the firewall’s inside IP address, and then launch the
Cisco ASA Security Device Manager (ASDM). (Example: https://10.4.24.30)
Step 2: Navigate to Configuration > Device Management > Advanced > WCCP > Service Groups, and the
click Add.
Step 3: If you are configuring an HTTP and HTTPS policy, on the Add Service Group dialog box, select Dynamic
Service Number, and then enter the value of 90 that was configured as a service ID in Procedure 13, Step 5.
If you are configuring a HTTP-only policy, then select Web Cache.
Step 4: On the Add Service Group dialog box, next to Redirect List, click Manage.
Step 5: In the ACL Manager window, click Add.
Step 6: Click Add ACL.
Step 7: On the Add ACL dialog box, in the ACL Name box, enter WCCP_Redirect_List, and then click OK.
Step 8: Repeat Step 9 and Step 16 for all entries in Table 3.
Table 3 - Access control entries for WCCP redirect
Action Source Destination Service Description Logging

Deny any4 10.0.0.0/8 IP Block RFC-1918 Enable / Default Level
10.0.0.0/8
Deny any4 172.16.0.0/12 IP Block RFC-1918 Enabled / Default Level
172.16.0.0/12
Deny any4 192.168.0.0/16 IP Block RFC-1918 Enabled / Default Level
192.168.0.0/16
Permit any4 any4 IP Permit all others Enabled / Default Level
Step 9: In ACL Manager window, select the WCCP_Redirect_List ACL, click Add, and then click Add ACE.
Step 10: For the Action option, select the action. (Example: deny)
Step 11: In the Source box, choose the source. (Example: any4)

24
Step 12: In the Destination box, choose the destination. (Example: 10.0.0.0/8)
Step 13: In the Service box, enter the service. (Example: ip)
Step 14: In the Description box, enter a useful description. (Example: Block RFC-1918 10.0.0.0/8)
Step 15: Select or clear Enable Logging. (Example: Selected)
Step 16: In the Logging Level list, choose the logging level value, and then click OK. (Example: Default)
Step 17: After adding all of the ACEs listed in Table 3, click OK.

25
Step 18: On the Add Service Group dialog box, in the Redirect List list, choose the ACL created above
(Example: WCCP_Redirect_List), and then click OK.
Step 19: On the Service Groups pane, click Apply.
Step 20: Navigate to Configuration > Device Management > Advanced > WCCP > Redirection, and then click
Add.
Step 21: If you are configuring an HTTP and HTTPS policy, on the Add WCCP Redirection dialog box, in the
Interface list, choose inside, in the Service Group list, choose 90, and then click OK.
If you are configuring an HTTP-only policy, in the Interface list, choose inside, in the Service Group list, choose
web-cache, and then click OK.
Step 22: On the Redirection pane, click Apply.
Step 23: If you want to test the configuration, use a browser that is not already configured to go to the appliance
as an explicit proxy (or remove the explicit proxy settings), and test to the following sites:
• A resolvable allowed address, such as www.cisco.com
• A resolvable blocked address (from one of the previously configured Blocked categories)
Next, in Cisco ASDM, you check that WCCP redirection is working.
Step 24: Navigate to Monitoring > Properties > WCCP > Service Groups.

26
The status window should show a router ID that is the highest IP address of the appliance and the number
of cache engines is 1, which is the Cisco WSA appliance. If things are working correctly and redirections are
occurring, the Total Packets Redirected counter increases.
High Availability and Resilience

For availability purposes, if Cisco WSA fails, the WCCP reports that fact to the appliance, and it stops redirecting
traffic to Cisco WSA by default. If web security resilience is a requirement, two or more Cisco WSAs can be
deployed. To deploy multiple devices, define multiple WCCP routers on the appliance, and the WCCP protocol
load-balances between them. If one is down, the appliance takes that device out of the list until it comes back
online and starts responding to WCCP requests again.
Procedure 15 Configure default tunnel gateway
This procedure is required when using the integrated deployment model for firewall and remote-access VPN.
If you are using the standalone deployment model, the default tunnel gateway is already configured, skip to
Procedure 16, “Set up HTTPS proxy.”
Cisco WSA must inspect traffic from remote-access VPN clients to and from the Internet. To accomplish this, all
traffic to and from the VPN clients must be routed toward the LAN distribution switch, regardless of the traffic’s
destination, so that the Cisco ASA appliance can properly redirect the traffic to the Cisco WSA appliance.
Step 1: From a client on the internal network, navigate to the firewall’s inside IP address, and then launch Cisco
ASA Security Device Manager. (Example: https://10.4.24.30)
Step 2: In Configuration > Device Setup > Routing > Static Routes, click Add.

27
Step 3: On the Add Static Route dialog box, configure the following values, and then click OK.
• Interface—inside
• Network—any4
• Gateway IP—10.4.24.1
• Options—Tunneled (Default tunnel gateway for VPN traffic)
Step 4: Verify the configuration, and then click Apply.

28
Procedure 16 Set up HTTPS proxy
To set up Cisco WSA to proxy HTTPS connections, start by enabling the feature.
Step 1: On the Cisco WSA appliance, navigate to Security Services > HTTPS Proxy, and then click Enable and
Edit Settings.
Step 2: On the HTTPS Proxy License Agreement page, click Accept.
Tech Tip
You need to generate a certificate for Cisco WSA to use on the client side of the
proxy connection. Generating a self-signed certificate causes the client browser to
warn about the certificate for each connection to an HTTPS website. To avoid this,
upload a certificate that was issued from an organization’s trusted certificate authority
to the appliance. If the clients already have the trusted root certificate loaded on their
machines, the HTTPS proxy does not generate errors related to unknown certificate
authority.
Step 3: On the Edit HTTPS Proxy Settings page, in the Root Certificate for Signing section, select Use
Generated Certificate and Key, and then click Generate New Certificate and Key.
Step 4: In the Generate Certificate and Key dialog box, enter values relevant to your organization, and then click
Generate.

29
Step 5: In the Invalid Certificate Handling section, define the action that Cisco WSA should take when it
encounters an invalid certificate on the HTTPS server. The choices, depending on the certificate error, can range
from dropping the connection, decrypting it, or monitoring it. This example uses the default setting of Monitor for
all errors.
Step 6: When you are finished editing, click Submit, and then click Commit Changes.
Changes.
Reader Tip
For more information about using certificates as part of the Cisco WSA HTTPS proxy
mechanism, see the Cisco WSA End-User Guides at http://www.cisco.com/en/US/
products/ps10164/products_user_guide_list.html, or consult a trusted partner or Cisco
sales representative.
Next, you configure policies for the HTTPS proxy.
Step 8: Navigate to Web Security Manager > Custom URL Categories, and then click Add Custom Category.
You create three placeholder categories for different action-exceptions.
Step 9: In the Edit Custom URL Category pane, in the category name box, enter Drop List.
Step 10: In the Sites box, enter a placeholder URL (Example: drop.com), and then click Submit.
Step 11: Repeat Step 9 and Step 10 to create two more custom categories. For the category names, enter
Decrypt List and Pass Through List, and then click Commit Changes.

30
Changes.
Step 13: Navigate to Web Security Manager > Decryption Policies.
Step 14: Under the URL Filtering box, click the link.
Step 15: On the Decryption Policies: URL Categories: Global Policy page, click Select Custom Categories.
Step 16: In the Select Custom Categories for this Policy window, for each of the three new custom categories, in
the Setting Selection list, choose Include in policy, and then click Apply.

31
Step 17: On the Decryption Policies: URL Filtering: Global Policy page, change the action of the category to
correspond with its name, (Example: Drop should be the action for the Drop List category) and then click Submit.
Changes.
Step 20: Navigate to Web Security Manager > Decryption Policies.
Step 21: Under the URL Filtering box, click the link.
The predefined URL categories at the bottom of the page allow an administrator to create and enforce a policy
around how Cisco WSA handles specific types of websites with relation to decryption. Some organizations have
strict policies about not decrypting certain sites, such as health care or financial websites. The categories on this
page allow an administrator to enforce that policy on the appliance. For example, it is possible to configure Cisco
WSA so that financial HTTPS websites are set to Pass Through so they are not proxied, while gambling sites are
set to Drop.
Step 22: Change the action for Gambling to Drop, and change the action for Finance to Pass Through, and then
click Submit.
Changes.
Step 25: If your Cisco ASA is configured to use an HTTP and HTTPS policy, skip to Step 28.
If your Cisco ASA was configured with an HTTP-only policy, you should now change to the HTTP and HTTPS
policy. On the Cisco ASA appliance, navigate to Configuration > Device Management > Advanced > WCCP >
Redirection, and then click Edit.

32
Step 26: In the Edit WCCP Redirection dialog box, in the Service Group list, choose 90, and then click OK.
Step 27: On the Redirection pane, click Apply.
Step 28: If you want to test the new configuration, set up categories for webpages that you know are encrypted
(HTTPS) and then use those URLs in the testing process. Because the administrator has to know whether the
site uses HTTPS, use a custom URL category and put the address in the Drop List. When that site is accessed,
Cisco WSA should drop the connection.
Procedure 17 Configure authentication
Authentication is the act of confirming the identity of a user. When authentication is enabled, Cisco WSA
authenticates clients on the network before allowing them to connect to a destination server. When using
authentication, it is possible to set up different web access policies by user or group membership, using a
central user directory. Another primary driver for using authentication is that of user tracking, so that when a user
violates an acceptable-use policy, Cisco WSA can match the user with the violation instead of just using an IP
address. The last reason for authentication of web sessions is for compliance reporting.
Cisco WSA supports two different authentication protocols: Lightweight Directory Access Protocol (LDAP) and
NT LAN Manager (NTLM). Because most organizations have an Active Directory server, they use NTLM. Single
Sign-On is also only available when using NTLM.
When Cisco WSA is deployed in transparent mode with authentication enabled and a transaction requires
authentication, Cisco WSA asks for authentication credentials from the client application. However, not all client
applications support authentication, so they have no way to prompt users to provide their user names and
passwords. These applications might have issues when Cisco WSA is deployed in transparent mode because
the application tries to run non-HTTP traffic over port 80 and cannot handle an attempt by Cisco WSA to
authenticate the connection.
Here is a partial list of applications that do not support authentication (these are subject to change as newer
code versions are released):
• Mozilla Thunderbird
• Adobe Acrobat Updates
• Microsoft Windows Update
• Outlook Exchange (when trying to retrieve Internet-based pictures for email messages)
If applications need to access a particular URL, then it is possible to create an identity based on a custom User
Agent category that does not require authentication. When this happens, the client application is not asked for
authentication.

33
For organizations that require authentication, consult a trusted Cisco Partner or reseller or your Cisco account
team. They can assist in setting up an authentication solution that meets the organization’s requirements, while
minimizing any possible complications.
The first step in setting up authentication is to build an authentication realm. A realm defines how authentication
is supposed to occur.
In this deployment, a realm was built for NTLM authentication to the Active Directory server.
Step 1: Navigate to Network > Authentication, and then click on Add Realm.
Step 2: From the Authentication Server Type and Scheme drop-down select Active Directory
Step 3: Specify the Active Directory Server and the Active Directory Domain, and then click Join Domain.
Step 4: In the Computer Account Credentials dialog box, enter the Active Directory domain administrator
credentials (or ask an administrator to enter them), and then click Create Account.

34
Tech Tip
The DNS entries for the server must be added, and the server must have successfully
joined the AD domain before proceeding.
Step 5: On the Add Realm page, click Start Test. This tests the NTLM connection to the Active Directory
domain.
Step 6: In the Test Authentication Realm Settings box, monitor the results.
Step 7: When the test is completed successfully, click Submit, and then click Commit Changes.
Changes.
Next you configure identity groups. Identities are based on the identity of the client or the transaction itself.
Step 9: Navigate to Web Security Manager > Identities, and then click Add Identity.
You create two different sample identities: Exempt Subnets and Exempt User Agents.
Step 10: On the Add Identity page, in the Name box, enter Exempt Subnets.
Step 11: In the Define Members by Subnet box, enter the subnet(s) that you want to allow to access the Internet
without authentication.

35
Step 12: In the Define Members by Authentication list, choose No Authentication, and then click Submit.
Tech Tip
Performing this action defeats the purpose of running authentication for that IP
address, and log information from Cisco WSA will never have authentication data from
employees using that IP address. Even so, taking this action may be required in certain
cases and is given here as an example of how to change the operational policy of
Cisco WSA.
Step 13: On the Identities page, click Add Identity.
Step 14: On the Add Identity page, in the Name box, enter Exempt User Agents, and then click Advanced.
Step 15: In the Advanced section, next to User Agents, click None Selected.
Step 16: On the Membership by User Agent page, Under Common User Agents click Others.
Step 17: Under Others, select Microsoft Windows Update and Adobe Acrobat Updater.
Tech Tip
Selecting these agents means that when connections over HTTP with those User
Agents in the HTTP Header are seen, no authentication is requested.
Step 18: In the Custom User Agents box, enter any application that uses HTTP and is failing authentication, and
then click Done.
Tech Tip
If it is not possible to enter the application that is failing, then a specific custom URL
category can be built and then used in the Advanced tab for URL categories.

36
Step 19: On the Identities: Add Identity page, click Submit.
Step 20: On the Identities page, at the bottom of the Client/Transaction Identity Definitions section, click Global
Identity Policy.
This is the identity group for anybody who does not meet one of the preceding two groups you just built.
Since those groups were built for the purpose of not authenticating, change the global identity to authenticate
everybody else.
Step 21: On the Identity Policies: Global Group page, in the Identification and Authentication list, choose
Authenticate Users.
Step 22: In the Select a Realm or Sequence list, choose All Realms.
Step 23: In the Select a Scheme list, choose Use NTLMSSP or Basic, and then click Submit.
Changes.
It is now possible to test the deployment to ensure that the system is enforcing policy as expected, that all
applications and processes work as before, and that the data that the system is logging meets all of your needs
or requirements.

37
Additional Information
Monitoring
To monitor the health of Cisco WSA and the actions being taken by the appliance on traffic it is examining, there
are a variety of reports available on the Monitor tab. These reports allow an administrator to track statistics for
client web activity, malware types, web reputation filters, system status, and more.
Because the appliance itself stores data for only a limited amount of time, you need to use the Cisco Content
Security Management Appliance in order to allow for long-term storage and reporting of events from Cisco WSA.
Consult with your Cisco account team or your trusted partner for more information on the Cisco Content Security
Management Appliance and long-term reporting.
Troubleshooting
To determine why Cisco WSA took the action it did on a web connection to a specific site from a specific user,
an administrator can run the Trace tool by navigating to System Administration > Policy Trace.
By filling out the tool, you can test a specific URL to find out what the expected response from the appliance
would be if it processed the URL. This information is especially useful if some of the more advanced features are
used.
Summary
You have now installed Cisco WSA. A basic configuration has been applied, and the device can be inserted into
the network and receive redirects from the Cisco ASA. A default policy has been built that allows an organization
to set up access controls for HTTP and HTTPS. A policy has been built to configure HTTPS decryption. And
authentication has been set up to allow Cisco WSA to authenticate users and tie usernames with the access
controls in the logs.
A more detailed discussion about specific implementation of policy should be initiated with a trusted partner or
Cisco account representative.
Reader Tip
For additional Cisco WSA user documentation, see the documentation here:
http://www.cisco.com/web/ironport/index.html

38
Appendix A: Product List
Web Security
In the following table, to determine the part number for a Cisco Web Security Premium Subscription license, use the values
that you need for the term and quantity components of the part number. For example, if you need a license with a 1-year
term for 5300 users, the part number would be WSA-WSP-1Y-S8.
Functional Area Product Description Part Numbers Software

Web Security Appliance WSA S370 Web Security Appliance with Software WSA-S370-K9 AsyncOS 8.0.5-075
Web Security Virtual Cisco Web Security Premium Subscription License WSA-WSP-[term]-[quantity] AsyncOS 8.0.5-075
Appliance
Term Based Subscription License – 1 year term = 1Y
Quantity Based Subscription License – User Band S1 quantity = S1
(100-199 Users)
(200-499 Users)
(500-999 Users)
(1000-1999 Users)
(2000-2999 Users)
(3000-3999 Users)
(4000-4999 Users)
(5000-9999 Users)
(10,000-19,999 Users)
(20,000-49,999 Users)
(50,000-99,999 Users)
(100,000-249,999 Users)
(250,000-499,999 Users)
(500,000-999,999 Users)
(More than 1,000,000 Users)
Appendix A: Product List August 2014 Series

39
Internet Edge
Firewall Cisco ASA 5545-X IPS Edition - security appliance ASA5545-IPS-K9 ASA 9.1(5)
IPS 7.1(8p2)E4
Cisco ASA 5525-X IPS Edition - security appliance ASA5525-IPS-K9
Cisco ASA 5512-X Security Plus license ASA5512-SEC-PL
Firewall Management ASDM 7.1(6)
LAN Distribution Layer

Modular Distribution Layer Cisco Catalyst 6500 Series 6506-E 6-Slot Chassis WS-C6506-E 15.1(1)SY
Virtual Switch Pair IP Services feature set
Cisco Catalyst 6500 VSS Supervisor 2T with 2 ports VS-S2T-10G
10GbE and PFC4
Cisco Catalyst 6500 16-port 10GbE Fiber Module w/ WS-X6816-10G-2T
DFC4
Cisco Catalyst 6500 24-port GbE SFP Fiber Module w/ WS-X6824-SFP-2T
DFC4
Cisco Catalyst 6500 4-port 40GbE/16-port 10GbE WS-X6904-40G-2T
Fiber Module w/DFC4
Cisco Catalyst 6500 4-port 10GbE SFP+ adapter for CVR-CFP-4SFP10G
WX-X6904-40G module
Modular Distribution Layer Cisco Catalyst 4500E Series 4507R+E 7-slot Chassis WS-C4507R+E 3.4.0.SG(15.1-2SG)
Switch with 48Gbps per slot Enterprise Services
feature set
Cisco Catalyst 4500E Supervisor Engine 7-E, 848Gbps WS-X45-SUP7-E
Cisco Catalyst 4500E 24-port GbE SFP Fiber Module WS-X4624-SFP-E
Cisco Catalyst 4500E 12-port 10GbE SFP+ Fiber WS-X4712-SFP+E
Module
Stackable Distribution Cisco Catalyst 3750-X Series Stackable 12 GbE SFP WS-C3750X-12S-E 15.0(2)SE2
Layer Switch ports IP Services feature set
Cisco Catalyst 3750-X Series Two 10GbE SFP+ and C3KX-NM-10G
Two GbE SFP ports network module
Cisco Catalyst 3750-X Series Four GbE SFP ports C3KX-NM-1G
network module
Appendix A: Product List August 2014 Series

40
Appendix B: Changes
This appendix summarizes the changes Cisco made to this guide since its last edition.
• We validated the deployment of Cisco WSA as a virtual appliance (vWSA).
• We upgraded Cisco WSA software to 8.0.5-075.
• We improved usability of procedures for configuring firewall policy rules
Appendix B: Changes August 2014 Series

41
Feedback
Please use the feedback form to send comments and

suggestions about this guide.
Americas Headquarters Asia Pacific Headquarters Europe Headquarters

Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV Amsterdam,
San Jose, CA Singapore The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, “DESIGNS”) IN THIS MANUAL ARE PRESENTED “AS IS,”
WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR
A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS
SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR
DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS
DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL
ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2014 Cisco Systems, Inc. All rights reserved.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
B-0000345-1 09/14

Web Security Using Cisco WSA

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Web Security Using Cisco WSA

Uploaded by

Copyright:

Available Formats

Web Security Using Cisco WSA

Technology Design Guide

Deployment Details ......................................................................................................................6

Appendix A: Product List............................................................................................................39

CVD Foundation Series

Comments and Questions

Preface August 2014 Series

Scope Remote Mobile Access

For more information, see the "Design Overview" section in this

CVD Navigator August 2014 Series

This design guide enables the following security capabilities:

Introduction August 2014 Series

Figure 1 - Web security deployment

Figure 2 - Logical traffic flow using Cisco WSA

Introduction August 2014 Series

Figure 3 - Web security for remote-access VPN

Introduction August 2014 Series

Deployment Details August 2014 Series

Figure 4 - Internet Edge Topology for Cisco Validated Designs

Remote Site Wireless

Deployment Details August 2014 Series

7. Install system updates

Procedure 1 Configure DNS entries

Table 1 - Example DNS A and PTR records (Internal DNS)

Fully-Qualified Domain Name IP Address

Deployment Details August 2014 Series

Option 1: Switch connection to physical WSA

Step 1: Configure the interface(s) connected to the server.

Procedure 3 Connect to the Cisco WSA

Option 1: Stand-alone, physical Cisco WSA

Deployment Details August 2014 Series

The default username is admin, and the default password is ironport.

Procedure 4 Configure management access to the Cisco WSA

Currently configured interfaces:

Choose the operation you want to perform:

Enter the number of the interface you wish to edit.

IP Address (Ex: 192.168.1.2):

Netmask (Ex: "255.255.255.0" or "0xffffff00"):

Do you want to enable SSH on this interface? [Y]> y

Do you want to enable HTTP on this interface? [Y]> y

Do you want to enable HTTPS on this interface? [Y]> y

Deployment Details August 2014 Series

Currently configured interfaces:

Choose the operation you want to perform:

Do not connect to the GUI at this address.

Warning: setting an incorrect default gateway may cause the current

Enter new default gateway:

Please enter some comments describing your changes:

Deployment Details August 2014 Series

Procedure 5 Configure DNS entry for WSA

Table 2 - Example DNS A and PTR Records for WSA

Procedure 6 Complete the System Setup Wizard

The default username is admin, and the default password is ironport.

Deployment Details August 2014 Series

Step 9: On the Network Context page, click Next.

Deployment Details August 2014 Series

Figure 6 - Virtual WSA View of Network Interfaces

Step 12: On the Transparent Connections Settings page, click Next.

Deployment Details August 2014 Series

Deployment Details August 2014 Series

It is not possible to downgrade software versions, so be certain that an upgrade

Step 2: Click Available Upgrades.

Procedure 8 Install the feature keys

Step 1: Navigate to System Administration > Feature Keys.