User Guide for Asyncos 10.1.0 for Cisco Web Security Appliances
Total Page:16
File Type:pdf, Size:1020Kb
AsyncOS 10.1 for Cisco Web Security Appliances User Guide Published: June 1, 2017 Revised: October 19, 2017 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices. THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]). The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. AsyncOS 10.1 for Cisco Web Security Appliances User Guide © 2017 Cisco Systems, Inc. All rights reserved. CONTENTS CHAPTER 1 Introduction to the Product and the Release 1-1 Introduction to the Web Security Appliance 1-1 What’s New 1-1 What’s New in Cisco AsyncOS 10.1.1 1-2 What’s New in Cisco AsyncOS 10.1.0 1-2 What’s New in Cisco AsyncOS 10.0.0 1-3 Related Topics 1-4 Using the Appliance Web Interface 1-5 Web Interface Browser Requirements 1-5 Enabling Access to the Web Interface on Virtual Appliances 1-5 Accessing the Appliance Web Interface 1-6 Committing Changes in the Web Interface 1-6 Clearing Changes in the Web Interface 1-7 The Cisco SensorBase Network 1-7 SensorBase Benefits and Privacy 1-7 Enabling Participation in The Cisco SensorBase Network 1-7 CHAPTER 2 Connect, Install, and Configure 2-1 Overview of Connect, Install, and Configure 2-1 Deploying a Virtual Appliance 2-2 Migrating from a Physical to a Virtual Appliance 2-2 Comparison of Modes of Operation 2-2 Task Overview for Connecting, Installing, and Configuring 2-5 Connecting the Appliance 2-6 Gathering Setup Information 2-8 System Setup Wizard 2-10 System Setup Wizard Reference Information 2-11 Network / System Settings 2-11 Network / Network Context 2-12 Network / Cloud Connector Settings 2-12 Network / Network Interfaces and Wiring 2-13 Network / Layer 4 Traffic Monitor Wiring 2-13 AsyncOS 10.1 for Cisco Web Security Appliances User Guide 1 Contents Network / Routes for Management and Data Traffic 2-14 Network / Transparent Connection Settings 2-14 Network /Administrative Settings 2-15 Security / Security Settings 2-16 Upstream Proxies 2-16 Upstream Proxies Task Overview 2-17 Creating Proxy Groups for Upstream Proxies 2-17 Network Interfaces 2-18 IP Address Versions 2-18 Enabling or Changing Network Interfaces 2-19 Configuring Failover Groups for High Availability 2-21 Add Failover Group 2-21 Edit High Availability Global Settings 2-22 View Status of Failover Groups 2-22 Using the P2 Data Interface for Web Proxy Data 2-23 Configuring TCP/IP Traffic Routes 2-24 Modifying the Default Route 2-25 Adding a Route 2-25 Saving and Loading Routing Tables 2-25 Deleting a Route 2-25 Configuring Transparent Redirection 2-26 Specifying a Transparent Redirection Device 2-26 Using An L4 Switch 2-26 Configuring WCCP Services 2-27 Increasing Interface Capacity Using VLANs 2-30 Configuring and Managing VLANs 2-30 Redirect Hostname and System Hostname 2-32 Changing the Redirect Hostname 2-33 Changing the System Hostname 2-33 Configuring SMTP Relay Host Settings 2-33 Configuring an SMTP Relay Host 2-34 DNS Settings 2-34 Split DNS 2-34 Clearing the DNS Cache 2-34 Editing DNS Settings 2-35 Troubleshooting Connect, Install, and Configure 2-35 CHAPTER 3 Connect the Appliance to a Cisco Cloud Web Security Proxy 3-1 How to Configure and Use Features in Cloud Connector Mode 3-1 AsyncOS 10.1 for Cisco Web Security Appliances User Guide 2 Contents Deployment in Cloud Connector Mode 3-2 Configuring the Cloud Connector 3-2 Controlling Web Access Using Directory Groups in the Cloud 3-5 Bypassing the Cloud Proxy Server 3-5 Partial Support for FTP and HTTPS in Cloud Connector Mode 3-5 Preventing Loss of Secure Data 3-6 Viewing Group and User Names and IP Addresses 3-6 Subscribing to Cloud Connector Logs 3-6 Identification Profiles and Authentication with Cloud Web Security Connector 3-7 Identifying Machines for Policy Application 3-7 Guest Access for Unauthenticated Users 3-8 CHAPTER 4 Intercepting Web Requests 4-1 Overview of Intercepting Web Requests 4-1 Tasks for Intercepting Web Requests 4-2 Best Practices for Intercepting Web Requests 4-2 Web Proxy Options for Intercepting Web Requests 4-3 Configuring Web Proxy Settings 4-3 Web Proxy Cache 4-5 Clearing the Web Proxy Cache 4-6 Removing URLs from the Web Proxy Cache 4-6 Specifying Domains or URLs that the Web Proxy never Caches 4-6 Choosing The Web Proxy Cache Mode 4-7 Web Proxy IP Spoofing 4-8 Web Proxy Custom Headers 4-9 Adding Custom Headers To Web Requests 4-9 Web Proxy Bypassing 4-10 Web Proxy Bypassing for Web Requests 4-10 Configuring Web Proxy Bypassing for Web Requests 4-10 Configuring Web Proxy Bypassing for Applications 4-11 Web Proxy Usage Agreement 4-11 Client Options for Redirecting Web Requests 4-11 Using PAC Files with Client Applications 4-12 Options For Publishing Proxy Auto-Config (PAC) Files 4-12 Client Options For Finding Proxy Auto-Config (PAC) Files 4-12 Automatic PAC File Detection 4-12 Hosting PAC Files on the Web Security Appliance 4-12 Specifying PAC Files in Client Applications 4-13 AsyncOS 10.1 for Cisco Web Security Appliances User Guide 3 Contents Configuring a PAC File Location Manually in Clients 4-13 Detecting the PAC File Automatically in Clients 4-14 FTP Proxy Services 4-14 Overview of FTP Proxy Services 4-14 Enabling and Configuring the FTP Proxy 4-15 SOCKS Proxy Services 4-16 Overview of SOCKS Proxy Services 4-16 Enabling Processing of SOCKS Traffic 4-17 Configuring the SOCKS Proxy 4-17 Creating SOCKS Policies 4-17 Troubleshooting Intercepting Requests 4-18 CHAPTER 5 Acquire End-User Credentials 5-1 Overview of Acquire End-User Credentials 5-1 Authentication Task Overview 5-2 Authentication Best Practices 5-2 Authentication Planning 5-2 Active Directory/Kerberos 5-4 Active Directory/Basic 5-5 Active Directory/NTLMSSP 5-6 LDAP/Basic 5-6 Identifying Users Transparently 5-6 Understanding Transparent User Identification 5-7 Rules and Guidelines for Transparent User Identification 5-9 Configuring Transparent User Identification 5-10 Using the CLI to Configure Advanced Transparent User Identification Settings 5-10 Configuring Single-Sign-on 5-11 Authentication Realms 5-11 External Authentication 5-12 Configuring External Authentication through an LDAP Server 5-12 Enabling RADIUS External Authentication 5-12 Creating an Active Directory Realm for Kerberos Authentication Scheme 5-12 How to Create an Active Directory Authentication Realm (NTLMSSP and Basic) 5-15 Prerequisites for Creating an Active Directory Authentication Realm (NTLMSSP and Basic) 5-15 About Using Multiple NTLM Realms and Domains 5-15 Creating an Active Directory Authentication Realm (NTLMSSP and Basic) 5-16 Creating an LDAP Authentication Realm 5-17 About Deleting Authentication Realms 5-22 Configuring Global Authentication Settings 5-22 AsyncOS 10.1 for Cisco Web Security Appliances User Guide 4 Contents Authentication Sequences 5-27 About Authentication Sequences 5-28 Creating Authentication Sequences 5-28 Editing And Reordering Authentication Sequences 5-29 Deleting Authentication