Cisco IronPort AsyncOS 7.1 for Web User Guide November, 2010 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-23207-01 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco IronPort AsyncOS 7.1 for Web User Guide © 2010 Cisco Systems, Inc. All rights reserved. CONTENTS CHAPTER 1 Getting Started with the Web Security Appliance 1-1 What’s New in This Release 1-1 New Feature: Web Reporting and Web Tracking 1-2 New Feature: Centralized Reporting 1-2 New Feature: Anonymized Usernames on Reporting Pages 1-3 Enhanced: Reports 1-3 What’s New in Version 7.0 1-3 New Feature: Cisco AnyConnect Secure Mobility 1-3 New Feature: Application Visibility and Control 1-4 New Feature: Safe Search and Site Content Rating Enforcement 1-5 New Feature: Bandwidth Control for Streaming Media 1-5 New Feature: HTTP Instant Messaging Controls 1-6 New Feature: SaaS Access Control 1-6 New Feature: Sophos Anti-Virus Scanning 1-7 New Feature: Transparent User Identification for Novell eDirectory 1-7 New Feature: Outbound Malware Scanning 1-7 New Feature: Application Scanning Bypass 1-8 New Feature: Allow User One Login at a Time 1-8 New Feature: WBRS Threat Details 1-9 New Feature: What’s New In This Release 1-9 Enhanced: Per Identity Authentication Settings 1-9 Enhanced: PAC File Hosting 1-9 Enhanced: Reports 1-10 Enhanced: Advancedproxyconfig CLI Command 1-10 Cisco IronPort AsyncOS 7.1 for Web User Guide OL-23207-01 iii Contents Enhanced: Logging 1-10 How to Use This Guide 1-11 Before You Begin 1-11 Typographic Conventions 1-12 Where to Find More Information 1-13 Documentation Set 1-13 IronPort Technical Training 1-13 Knowledge Base 1-13 Cisco Support Community 1-14 Cisco IronPort Customer Support 1-15 Third Party Contributors 1-15 IronPort Welcomes Your Comments 1-15 Web Security Appliance Overview 1-16 CHAPTER 2 Using the Web Security Appliance 2-1 How the Web Security Appliance Works 2-1 Web Proxy 2-1 The L4 Traffic Monitor 2-2 Administering the Web Security Appliance 2-2 System Setup Wizard 2-3 Accessing the Web Security Appliance 2-3 Using the Command Line Interface (CLI) 2-4 Using an Ethernet Connection 2-4 Using a Serial Connection 2-5 The SenderBase Network 2-5 Sharing Data 2-6 Reporting and Logging 2-6 Navigating the Web Security Appliance Web Interface 2-7 Logging In 2-9 Cisco IronPort AsyncOS 7.1 for Web User Guide iv OL-23207-01 Contents Browser Requirements 2-10 Support Languages 2-10 Reporting Tab 2-11 Web Security Manager Tab 2-11 Security Services Tab 2-12 Network Tab 2-13 System Administration Tab 2-13 Committing and Clearing Changes 2-14 Committing and Clearing Changes in the Web Interface 2-14 Committing Changes 2-15 Clearing Changes 2-15 Committing and Clearing Changes in the CLI 2-16 CHAPTER 3 Deployment 3-1 Deployment Overview 3-1 Preparing for Deployment 3-2 Appliance Interfaces 3-3 Management Interface 3-4 Data Interfaces 3-4 L4 Traffic Monitor Interfaces 3-5 Example Deployment 3-5 Deploying the Web Proxy in Explicit Forward Mode 3-6 Configuring Client Applications 3-7 Connecting Appliance Interfaces 3-7 Testing an Explicit Forward Configuration 3-7 Deploying the Web Proxy in Transparent Mode 3-7 Connecting Appliance Interfaces 3-8 Connecting the Appliance to a WCCP Router 3-8 Configuring the Web Security Appliance 3-9 Cisco IronPort AsyncOS 7.1 for Web User Guide OL-23207-01 v Contents Configuring the WCCP Router 3-9 Example WCCP Configurations 3-11 Example 1 3-11 Example 2 3-12 Example 3 3-14 Working with Multiple Appliances and Routers 3-15 Using the Web Security Appliance in an Existing Proxy Environment 3-15 Transparent Upstream Proxy 3-15 Explicit Forward Upstream Proxy 3-16 Deploying the L4 Traffic Monitor 3-16 Connecting the L4 Traffic Monitor 3-17 Configuring an L4 Traffic Monitor Wiring Type 3-18 Physical Dimensions 3-18 CHAPTER 4 Installation and Configuration 4-1 Before You Begin 4-1 Connecting a Laptop to the Appliance 4-2 Connecting the Appliance to the Network 4-2 Gathering Setup Information 4-4 DNS Support 4-6 System Setup Wizard 4-6 Accessing the System Setup Wizard 4-8 Step 1. Start 4-8 Step 2. Network 4-9 Step 3. Security 4-22 Step 4. Review 4-26 CHAPTER 5 Web Proxy Services 5-1 About Web Proxy Services 5-1 Cisco IronPort AsyncOS 7.1 for Web User Guide vi OL-23207-01 Contents Web Proxy Cache 5-2 Configuring the Web Proxy 5-3 Working with FTP Connections 5-8 Using Authentication with Native FTP 5-9 Working with Native FTP in Transparent Mode 5-10 Configuring FTP Proxy Settings 5-11 Bypassing the Web Proxy 5-15 How the Proxy Bypass List Works 5-17 Using WCCP with the Proxy Bypass List 5-18 Bypassing Application Scanning 5-18 Proxy Usage Agreement 5-18 Configuring Client Applications to Use the Web Proxy 5-19 Working with PAC Files 5-19 PAC File Format 5-21 Creating a PAC File for Remote Users 5-22 Specifying the PAC File in Browsers 5-22 Entering the PAC File Location 5-22 Detecting the PAC File Location Automatically 5-23 Adding PAC Files to the Web Security Appliance 5-24 Specifying the PAC File URL 5-25 Uploading PAC Files to the Appliance 5-28 Understanding WPAD Compatibility with Netscape and Firefox 5-29 Advanced Proxy Configuration 5-30 Authentication Options 5-32 Caching Options 5-39 DNS Options 5-42 EUN Options 5-44 NATIVEFTP Options 5-44 FTPOVERHTTP Options 5-47 Cisco IronPort AsyncOS 7.1 for Web User Guide OL-23207-01 vii Contents HTTPS Options 5-48 Scanning Options 5-49 WCCP Options 5-49 Miscellaneous Options 5-50 CHAPTER 6 Working with Policies 6-1 Working with Policies Overview 6-1 Policy Types 6-3 Identities 6-3 Decryption Policies 6-4 Routing Policies 6-4 Access Policies 6-4 IronPort Data Security Policies 6-5 External DLP Policies 6-5 Outbound Malware Scanning Policies 6-6 SaaS Application Authentication
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages824 Page
-
File Size-