Cisco ironport WSA Communication Ports.

Similar Messages

• QoS Cisco SCE8000, Caching Cisco IronPort WSA, Loadbalancing Cisco ACE solution

  Hi all,
  Our customer is a mobile operator. They need a integrated solution for caching, QoS and Loadbalancing in a combination. From my understanding of their goals, they need to providing stable and speedy broadband access as well as good user experience by the differentiation service offering. They need to classify IP traffic and prioritize and control of content-based services for a given subscriber while transparently and dynamically redirect and load balance the application level classified of IP traffic to a proxy caching server regardless of protocols such as http, https, ssl, ftp, flv, mms and rstp, sip, p2p....
  Attached pls find the RFP and technical specification for Caching and QoS.
  I appreciate your expertise to consult me whether I can propose for them the Cisco ACE standalone appliance or ACE engine module for 7600/6500 for loadbalancing, Cisco IronPort WSA for caching and dual Cisco SCE8000 for QoS as an integrated solution. Is this solution feasible/workable and where could I find the same reference or solution design or technical guidance on this?
  Thanks a lot and would like to hear from you at the soonest!
  Best regards,

• Any methods to simulate Cisco IronPort WSA appliance for practice

  Similar to GNS3 on which we can simulate ASA/Routers, same way any other methods to simulate Cisco IronPort WSA appliance for practice or testing? Please let me know. Thanks.

  You can download the virtual WSA. I have not tried it so I'm not sure how it works without a license.
  http://software.cisco.com/download/release.html?mdfid=284806698&flowid=41610&softwareid=282975114&release=7.7.5&relind=AVAILABLE&rellifecycle=GD&reltype=latest

• Is it Support Network News Transfer Protocol On Cisco Ironport WSA S670?

  Hi,
  I have an issue whith a costumer with Cisco Ironport WSA S670, my question is if the WSA support NNTP?
  Thanks
  Alex Juache

  Hi Alejandro,
  The WSA does not support NNTP.
  Sincerely,
  Erik Kaiser
  WSA CSE
  WSA Cisco Forums Moderator

• In Cisco IronPort WSA, what is the difference of an Access Policy, and an Identity?

  Hi Everyone,
  I am currently setting up a custom access for a particular subnet.
  What I did is to create a new identity for them, then allowed only specific URL categories for them. Note that the subnet is already allowed to access the internet through Global access policy.
  What will be the difference if I rather created a new Access Policy for the subnet?
  And technically, what's the difference of an Access Policy and an Identity?

  This was not my question. I asked if using the Marginal in Printing will you have a frame around the image?
  I think you're confused about which thread you are posting to.  "Wully bully" started this thread by asking about identify plates and watermarks, and I replied to Wully bully's post.
  Nevertheless, your question too about printing is best asked in the main LR forum, not here.

• Cisco ironport User to proxy connection ports

  Hai, we are using cisco ironport WSA in explicit mode, Placed in ASA DMZ.  We are using Version 7.7 which can inspect socks traffic also.
  The customer needs to open ports for user to ironport WSA through Firewall for all traffic. Please let me know which all ports to be opened from user to proxy!!

  Hai Chris,
  So that Means, eventhough socks is using random port, we need to allow Socks listening port only through  firewall for all socks traffic in explicit mode???? Do you have any document !!, if possible can you share this to me??
  Also, all other http, https & ftp traffic, proxy will listen on web listening port, rit????

• Cisco Ironport Certificate ISsue

  Hai All,
  We have cisco ironport WSA 370 version 7.5 .
  We need to decrypt some https traffic . But the issue is our corporate AD support only 2048 bit cert. But our WSA box only support 1024.
  Heared that asycos 7.7 (new release) support 2048 bit cert.  When i check the 7.7 guide, its not mentioned. Can you please suggest???

  Hi Mohamed,
  There is a feature request so the WSA can generate 2048 bit certificate; but you can upload a an Intermediate root signing certificate to the appliance.
  Look for "Uploading a Root Certificate and Key"
  https://www.cisco.com/en/US/docs/security/wsa/wsa7.7/User_Guide/WSA_7.7.0_UserGuide.pdf
  HTH,
  Luis Silva
  "If you need PDI (Planning, Design, Implement) assistance feel free to reach"
  http://www.cisco.com/web/partners/tools/pdihd.html

• Cisco Ironport failover

  Hi all
  Can someone please assist me im trying to setup two Cisco Ironport WSA devices to failover for each other, what would i require for this to happen.
  With Thanks
  Kuda

  Hi Vince
  Yes, i had that issue using pac files and IE9.
  i opened a case with Microsoft Tech support, and after 2 months, they said that there is an IE9 bug, and will be considered on new patch releases. (it was 6 months ago, and i think is not a patch available yet...)
  The Microsoft solution was use IE8 (failover works as expected)...and don't upgrade to IE9...
  i didn't test it on IE10, i think the issue is the same as IE9, but you should test it with all the patches up to date.

• Apple iOS via Ironport WSA

  I'm hoping for some help with trying to authenticate Apple iOS devices via an Ironport S650.
  I'm authenticating devices to the corporate network successfully with NPS, however I'm frequently encountering authentication failures.
  In the authlogs I am seeing a number of messages such as:
  Tue Nov 20 14:08:14 2012 Info: PROX_AUTH : - : Login for user []\[[email protected]]@[DN6FXBA4DFJ1] failed due to [No such user]
  Tue Nov 20 14:27:40 2012 Info: PROX_AUTH : - : NTLM CRAP authentication for user [DOMAIN]\[ipad] returned NT_STATUS_INVALID_WORKSTATION (PAM: 7)Tue Nov 20 14:27:40 2012 Info: PROX_AUTH : - : Login for user [DOMAIN]\[ipad]@[DN6FXBA4DFJ1] failed due to [Invalid workstation}
  I have configured the iPad to use the proxy server on port 80 and entered a valid username (iPad) and password. On launching Safari, I am repeatedly prompted for a username and password still.
  Having done a little more reading, I gather that this is just the first of many issues I may encounter. As such, I'm keen to know if anybody has successfully deployed iPads connecting to the web via an Ironport appliance and if so what you would recommend.
  Thanks,
  Neil

  Hi Neil,
  How to process Apple QuickTime (MAC/OSX) requests via Cisco Ironport Web Security
  Appliance (WSA) if NTLM authentication is required?
  Environment:
  Cisco Ironport Web Security Appliance (WSA)
  NTLM authentication using the schemes "NTLMSSP" or "Basic or NTLMSSP"
  Mac OS X 10.5 (Leopard) / Mac OS X 10.6 (Snow Leopard)
  Apple QuickTime (verified 7.6.5 / 7.6.6)
  Symptoms:
  The Mac OS X version of QuickTime fails to pass the NTLM authentication challenge and to fetch streaming
  content via WSA if either the NTLM scheme "NTLMSSP" or "Basic or NTLMSSP"
  has been selected. Executing QuickTime in embedded (browser) or standalone mode makes no difference.
  Solution:
  QuickTime for Mac OS X does not support the NTLM authentication schemes "NTLMSSP" and "Basic or NTLMSSP".
  QuickTime will establish connections once one of the following workarounds has been applied:
  (A) Disable authentication (Not recommended)
  (B) Change the global authentication scheme to NTLM "Basic (only)".
  (C) Create an authentication exception for the OSX QuickTime player using the
        custom user agent "QuickTime" or "QuickTime/VERSION" (QuickTime/7.6.6 for example).

• Replacing MS ISA proxy with IronPort WSA proxy - ISA firewall client?

  Replacing MS ISA proxy with IronPort WSA proxy - what about the ISA firewall client?
  Does Cisco have an equivalent of the Microsoft ISA Firewall Client?
  How does WSA handle complex protocols (such as ftp) through the proxy server?

  We are replacing MS ISA proxy servers with IronPort WSA S370 proxy servers.
  We have several apps that make use the MS firewall client.
  The MS firewall client enables HTTP-tunneling of TCP & UDP through the ISA proxy servers instead of going through firewalls.
  These apps use various ports - and there are rules setup on the ISAs specifially for these apps and their ports.
  Also we have serveral uses of RPD, telnet, and SSH using the firewall client to HTTP-tunnel through the proxy servers -- and these have  specific ISA rules setup for them too.
  I can find HTTP-tunneling software - commercial and freeware - but can't find any that I think will work through the IronPort WSA S370 proxy servers.
  Would like to find someone who has implemented HTTP-tunneling using IronPort WSA 370 proxy servers.
  Thanks again for your input.

• Cisco ironport 370 to 670 Configuration Compatibility Issue

  I have currently Cisco IronPort S360 and want to Upgade with Cisco S670, upload configuration file of Cisco ironport 360 in &760 but unable to succeed.becasue of compatibility issue of OS .any one can help me regarding how to compatible .
  Regards,
  Shafiq

  Hi Shafiq,
  Please open a ticket and send both of your configuration files with the ticket. The CSE will need to verify that the network interfaces are the same or modify your xml file to allow it to be successfully uploaded to the new 670.
  Sincerely,
  Erik Kaiser
  WSA CSE
  WSA Cisco Forums Moderator

• ACE working with IronPort WSA server farm

  We have an ACE load balancing a group of Ironport WSA. The WSA are working with the feature IP Spoofing, then the request to WWW has the source ip address of the WSA client and not the WSA itself.
  We follow the documento behind, but it is not working. When the packet coming from Internet having the destination address the WSA client address, the ACE can not delivery the packet even with the mac-sticky configured.
  I read in other forum that ACE needs to have in its arp table or route table the destination IP address for being able to deal with the packet by the encapid.
  But we don't have this entry in the arp table.
  When we configure the WSA with IP spoofing and the source ip address is the WSA itself the configuration works fine.
  Some have this kind of problem in some ocasion?
  Thank you,
  Everaldo

  Hi Jorge,
  The behavior is when we have IP Spoofing configured in the WSAs, the connection is not established. The ACE establishes the connection with the client but the connection with Internet is not established. I captured the packets that arrive in the ACE coming from Internet and I see SYN packets with source address as a public IP (Google) and the destination address as the internal client IP address with no ACK just RST.
  With no IP Spoofing, meaning that the ip source address is tha WSA the connection is established with no RST.
  Follow the output the commands:
  show service-policy WSA-VIPS class-map WSA_VIP_TCP_3128 detail
  Status     : ACTIVE
  Description: -----------------------------------------
  Interface: vlan 304
    service-policy: WSA-VIPS
      class: WSA_VIP_TCP_3128
       VIP Address:                              Protocol:  Port:
       10.10.193.25                              tcp    eq   3128
        loadbalance:
          L7 loadbalance policy: WSA-POLICY
          VIP Route Metric     : 77
          VIP Route Advertise  : ENABLED-WHEN-ACTIVE
          VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
          VIP State: INSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: DISABLED
          curr conns       : 3         , hit count        : 1260
          dropped conns    : 4
          conns per second    : 0
          client pkt count : 19271     , client byte count: 2326106
          server pkt count : 26140     , server byte count: 16572023
          conn-rate-limit      : 0         , drop-count : 0
          bandwidth-rate-limit : 0         , drop-count : 0
          L7 Loadbalance policy : WSA-POLICY
            class/match : class-default
              LB action :
                 primary serverfarm: WSA_FARM
                      state: UP
                  backup serverfarm : -
              hit count        : 1260
              dropped conns    : 0
              compression      : off
        compression:
          bytes_in  : 0                          bytes_out : 0
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0
          Content size: 0               Content type       : 0
          Not HTTP 1.1: 0               HTTP response error: 0
          Others      : 0
  switch/WSA# show probe WSA_TCP_3128
  probe       : WSA_TCP_3128
  type        : TCP
  state       : ACTIVE
     port      : 3128         address   : 0.0.0.0
     addr type : -            interval  : 5       pass intvl  : 10
     pass count: 3            fail count: 30      recv timeout: 10
                  ------------------ probe results ------------------
     associations     ip-address         port porttype probes failed passed health
     ------------ ----------------------+----+--------+------+------+------+------
     serverfarm  : WSA_FARM
       real      : WSA-01[0]
       real      : WSA-02[0]
                            10.10.193.37 3128 PROBE   15076  72     15004  SUCCESS
       real      : WSA-03[0]
       real      : WSA-04[0]
       real      : WSA-05[0]
       real      : WSA-06[0]
       real      : WSA-07[0]
       real      : WSA-08[0]
       real      : WSA-09[0]
       real      : WSA-10[0]
  switch/WSA# show probe WSA_TCP_3128 detail
  probe       : WSA_TCP_3128
  type        : TCP
  state       : ACTIVE
  description :
     port      : 3128         address   : 0.0.0.0
     addr type : -            interval  : 5       pass intvl  : 10
     pass count: 3            fail count: 30      recv timeout: 10
     conn termination : FORCED
     expect offset    : 0         , open timeout     : 3
     expect regex     : -
     send data        : -
                  ------------------ probe results ------------------
     associations     ip-address         port porttype probes failed passed health
     ------------ ----------------------+----+--------+------+------+------+------
     serverfarm  : WSA_FARM
       real      : WSA-01[0]
       real      : WSA-02[0]
                            10.10.193.37 3128 PROBE   15088  72     15016  SUCCESS
     Socket state        : CLOSED
     No. Passed states   : 2         No. Failed states : 1
     No. Probes skipped  : 0         Last status code  : 0
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err :  -
     Last probe time     : Mon Sep  3 21:06:47 2012
     Last fail time      : Mon Sep  3 20:45:05 2012
     Last active time    : Mon Sep  3 20:45:57 2012
       real      : WSA-03[0]
       real      : WSA-04[0]
       real      : WSA-05[0]
       real      : WSA-06[0]
       real      : WSA-07[0]
       real      : WSA-08[0]
       real      : WSA-09[0]
       real      : WSA-10[0]
  Thank you,
  Everaldo

• IPhone - Cisco Unified Mobile Communicator

  I used to have Cisco Mobile 8.0  with ( Cisco Dual mode for iphone devices ) that start with TCT<username>
  Within this App, I had to configure this in the settings of the app on the Iphone
  Device ID : TCT....
  TFTP : cucm
  The Mobile 8.0 was working fine
  I cant find Mobile 8.0 on the apps store anymore,  I can find Cisco Unified Mobile Communicator,  it seems to be the new version
  now it ask
  user
  password
  phone number
  server
  port
  And I cant make it work.. anyone have some experience to share with this new application ?

  Richard is correct. The CIMC app was used with the Cisco Unified Mobiliy Advantage server which has long been EoL. The app remains in the store only for customers who have this solution in production.
  Cisco Mobile 8.1 was renamed to Cisco Jabber and more recently Cisco Jabber Voice to distinguish it from the unified VoIP+IM client that is now called Cisco Jabber.
  Please remember to rate helpful responses and identify helpful or correct answers.

• IronPort WSA S650 Faild to acquire the server manifest

  Hello,
  I have a demo WSA S650 from cisco and the appliance can't download the definition updates and asyncos updates.
  IronPort WSA S650
  According:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10128/ps10154/eol_c51-716512.html
  The WSA is End of SW Maintenance Releases Date: December 31, 2012
  From cisco.com i can't find in download area of new asyncos version S650 series(the section for s650 is gone).
  When i try to update the appliance i get the error: Failed to acquire the server manifest
  From browser i go to : http://updates.ironport.com/fetch_manifest.html
  And after i insert the serial nr and version and i get the error:
  An error occurred.
  (('base', 'get_server_manifest', '851'), 'phone.base.ManifestError', 'Connection unexpectedly closed.', '[local_manifest|web_fetch_manifest|247] [local_manifest|assemble_manifest|299] [base|get_server_manifest|851]')
  I believe that this  WSA don't have the rights to download the updates definition webfiltering!

  It seems that the appliance don't care about update settings.
  I have setup that updates to be done by the data interface, all routes are checked and are OK, but the updates is not working.
  When i set up only one interface for management and data the updates was done right, so i suppose that the update was done on the management interface even i set up to be done on the data interface.

• End-user notification is not working for one of the untagorized HTTPS webistes on IronPort WSA

  When users try to access the URL https://cloud.skytap.com/tools/connectivity they are getting 'Internet Explorer cannot display the webpage' instead of regular IronPort WSA end-user-notification. This URL is currently uncategorized. Please advice.

  Yes, we have set drop all the uncategorized URLs. We do get end-user-notifications for HTTP websites which are uncategorized.
  However, if any of the HTTPS websites which are uncategorized, then we wont get end-user-notification.