Cisco WSA S170 AsynOS 7.5.2 LDAP group query debug

Similar Messages

• LDAP group query failure during per-recipient scanning, poss

  I am trying to figure out what this is referring to:
  LDAP group query failure during per-recipient scanning, possible LDAP misconfiguration or unreachable server
  I can still send test messages from my e-mail.
  Is it possible tht a user is trying to send in corectly..hmmm

  If you create a LDAP debug log from within the GUI, this will give you a more in depth look into the query that is being sent to your LDAP server and also more important any errors that are being returned.
  Great log for troubleshooting any LDAP related issues.

• How to turn on a WSA S170 built in FTP server ?

  Dear support forum members,
  I configured Cisco WSA S170 and forgot to turn on the WSA built in FTP server.
  I found it when I tried to access WSA logs from Web GUI. May be it is already turned on by default, but  WSA blocks access to it.
  Could you advise me, how to turn FTP server on or allow access to it from Web GUI or CLI.
  I could not find any information about it in documentation.
  Thanks in advance!
  Best regards,
  Alexander.
  P.S. Sorry for my English

  Hi,
  Try the "ifconfig" command. When you select the interface and click on edit, it should ask you:
  Do you want to enable FTP on this interface? [Y]> 
  Do you want to enable SSH on this interface? [Y]>
  Which port do you want to use for SSH?
  [22]>...
  Regards,
  Kush

• LDAP Group Lookup Policy

  I would like to know if it is possible to set up a Inbound filter that will stop media files from being delivered unless the receipant is a member of a LDAP group.
  I don't want media files (mpeg, avi, Divx, PPS, MOV) being delivered to everyone but the members of a Distribution group called Media_Access.
  Does this need to be a distribution group or an mail enabled security group.
  We are using Active Directory.
  Thanks

  Though you could accomplish this with message filters, my vote would be for using ldap group query with the incoming mail policy. You can have the Media-policy that checks if the recipients are a member of the Media group. If recipients aren't members of the group, they will use the Default policy. This is called message splintering by the way.
  Then, once things have splintered into their appropriate incoming mail policies, you can have incoming content filters that drop the media attachments for the default policy while the Media policy allows them through.
  Have you tried to create a policy allowing these file types and checking the recipients using LDAP group query ?
  Then, insert a policy below this (the mentioned above) not allowing these file type for non-group members.

• How to check if Cisco WSA is already blocking the malicious sites?

  How to check if Cisco WSA is already blocking the malicious sites? 

  Depends on what you mean, but in general what you did will not work.
  The usual intent of RMI is to have several processs running and all of them use one process as the repository.
  A static value is only visible in one VM instance thus it will not be visible in another process.
  So in that situation you could check if the the server socket that the RMI using is open. But just catching the exception, presuming that you catch the correct one, is also sufficient.

• Cisco WSA Versus Proxy

  Hello Experts,
  Can anyone tell me what is difference between Cisco WSA and Proxy-Server ?    and which one ideal to use ?
  Thanks,
  Waheed

  Hi Imran,
  The main difference between the two is the Cisco WSA is an appliance or a hardware while proxy server is a software. Other features are also offered by each security solutions. Best recommendation depends on what features are you looking for. Kindly email me ([email protected]) for more information and so I can also provide you options that you have.
  Hope to hear from you soon.
  Regards,
  Alyza

• WSA s170 - How to block skype and download

  Hi,
  I recently changed my proxy solution from BlueCoat ProxySG to Cisco WSA but I'm finding some difficulties to operate the appliance. 
    a - I can't have multiple defaults route
    b - How can I block skype traffic?
    c - How can I block download
    d - No graphical interface for logging
  I hope some here can help me. Because I don't know yet if it was a good choice change the solution that used to work like a charm.
  If some one can also point the other good things I can do with this appliance should be good.
  Best regards,
  Alcides 

  It sounds like it may be best for you to reach out to the sales person that sold you this appliance.  But some quick answers for you:
  a) You can go to Network > Routes.  You can set routes based on destinations.  What exactly are you trying to do with multiple default routes?  Are you trying to get some kind of fail-over setup?  If so, this cannot be done.  You can contact TAC and ask that they submit a feature request for this.
  b) Skype can be blocked by the WSA, but after Skype determines that it cannot logon via port 80 or 443, it will start trying every port ever existed until it gets access.  Are you ready to block all other ports at the firewall?
  c) You can block a download by file types under Access Policies > Mime Type.
  d) There is web tracking.  But if you want to view live logs in the GUI, that is not available.  Consider contacting TAC and asking for a feature request as well.
  It sounds like you are very used to the Bluecoat.  Different products will have different features. 

• Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP router ?

  Hello !
  I would like to use Cisco WSA as a web proxy in a transparent way (without any configuration in client's web browsers) but i don't have a WCCP router. So, is it possible ? 
  If yes, how to do this ? 
  Thank you,
  Stephane Walker

  Hi Stephane
  The only alternative to WCCP is PBR (Policy Based Routing). With a simple configuration on the router you can redirect traffic defined as interesting by access list to WSA. On the WSA you need to configure transparent mode (Security Services -> Web Proxy -> Edit Settings -> Proxy Mode: Transparent). You also need to assure that proxy is listening on the port 80 and that HTTPS proxy is enabled (on port 443) if you want to redirect the HTTPS traffic as well. 
  Sample configuration for Cisco router
  access-list 110 permit tcp any any eq www
  route-map proxy-redirect permit 10
  match ip address 110
  set ip next-hop xxx.xxx.xxx.xxx
  interface ethernet0/1
  ip policy route-map proxy-redirect
  xxx.xxx.xxx.xxx is the proxy IP in such case and access-list 110 defines web traffic (HTTP TCP/80) as interesting.
  The biggest disadvantage of such solution is lack of failure detection. If the proxy will go down for some reason router will keep redirecting the traffic causing internet access outage.
  Routers other than Cisco equipment should also have an option to configure policy based routing.
  /Artur
  Ps. It's not possible to place the WSA in-line between clients and the internet.

• Cisco IronPort S170 Access Logs are filling up the HDD

  We have a Cisco IronPort S170.
  The access logs have filled the HDD to 91%
  The device is taking a serious performance hit.
  It now takes 5 minutes per click if I'm lucky.
  I have accessed the device via FTP and am about to copy off all of our AccessLogs.
  Once this is completed is there a way to wipe only the accesslogs from the device?
  Via FTP the transactions seemed to be read only
  I was looking through the CLI, but wasn't sure which command to use.
  Thanks,
  Brian

  When you FTP to the device, and CD to the appropriate directory path - are you not able to mdel the files?  Are you accessing the appliance via FTP as an admin level user?
  -Robert

• Cisco WSA https inspection capability?

  Hello, 
  does a Cisco WSA has the capability of inspecting HTTPs traffic like Internet-Proxy servers do

  yes.
  Here's a doc on how to set up the WSA, it has a section on doing HTTPS:
  https://supportforums.cisco.com/sites/default/files/attachments/discussion/sba_mid_bn_websecuritydeploymentguide-h1cy11_1.pdf

• Problem using a group which has a space in it's DN when using LDAP Group mappings in UCS 1.4

  Hey,
  We've been implementing LDAP authentication (Active Directory) using LDAP group mapping in UCS 1.4, and we've noticed that when using a group which has a DN with a space in it (such as "UCS Admins") it wouldn't authenticate the user with the appropriate role.
  Using a DN without spaces (such as "UCSAdmins"), works just fine.
  I should mention that having a base DN with spaces works just fine as well, it's just the group mappings that doesn't work.
  I should also mention that Cisco's "Quick guide to configuring ldap for ucs 1.4" shows an example in which the group's DN doesn't include a space.
  Is there a workaround available which can make it possible using a group which has a space in it's name?
  Thanks,
  Dor

  Hey Roman,
  Thanks for your prompt reply.
  We've tried putting quotes using UCSM which is not possible at all - not for the entire entry nor for the part with spaces.
  We've also tried using CLI ("scope security/ldap/ldap-group") where you have to put quotes if you use a DN with spaces, and it still doesn't work. Furthermore, we tried adding quotes only to the part with the spaces, i.e. - CN="UCS Admins",OU=TEST,DC=TEST. It adds the entry without an error, but shows like we would use "CN=UCS Admins,OU=TEST,DC=TEST". Anyway, it doesn't work either.
  Thanks again,
  Dor

• CSCul66951 LDAP routing query fails when user name is the same (6 july 2014)

  in the case CSCul66951 LDAP routing query fails when user name is the same it is mentionned that the version 8.0.2-055 correct this bug ? How come i don't see this version on my menu Available upgrades from my IronPort C370 ?
  Is there someone on the support team that have try this LDAP query on a IronPort C370 with this version in the development lab ?
  Do i have to open a support Case to have this version of AsyncOS ?
  Best regards,
  Benoit Belair
  University of Quebec in Montreal

  Yes - CSCul66951 - this was included w/ the 8.0.1-HP1, and is rolled into 8.5.6-074 GA release.
  See release notes, resolved issues:
  http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-0/release_notes/ESA_8-0-1_HP1_Release_Notes.pdf
  CSCun02766 - 8.5.6-063, which was superseded by the 8.5.6-074 GA release.  
  See release notes, resolved issues:
  http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5-6/ESA_8-5-6_Release_Notes.pdf

• WLC and LDAP Groups

  Is there any way on an LDAP server to create an LDAP group that can be tied to the WLC for LDAP authentication.  I have this url that explains local authentication and LDAP...  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml .  That helps with local authentication but one thing I don't see is any guidance on how to create a group in a DC to communicate with anything on WLC.  Any ideas?

  You are right. You need a radius server overall that integrates with AD and do AD-to-radius group mapping. This way authentication is allowed/denied from radius, not WLC itself.
  If the user can get a radius server to achieve this that will be great (especially if the user is using 802.1x/EAP authenticaion). If not, what I described about OU mapping is the only solution to get the users classified as per what I understood from users requirements.
  The user is not only limited to Microsoft RADIUS (IAS or NPS). However, any radius server that supports AD group mapping can be used. with cisco ACS for example this is supported as well. I am not sure if this is also supported with open-source radius (openRadius for example). But if it is then openRadius can also be used.

• VPN with RSA and LDAP Groups

  I'm tryin to rebuild our VPN environment with a pair of 5520. WE're going to use Anyconnect mobility exclusively with SSL. No IPSec and no SSL Webvpn.
  We have a large number of contractors using the VPN to access specific internal resources so I would like to use different IP subnets for each contractor assigned through group policy. I don't want to have a different URL for each contractor so I want to assign the group policy through LDAP group memebership. However, primary authentication will be via RSA 2 factor.
  How do I get the ASA to check group membership and hense assign the right group when primary authentication is through RSA?
  Thanks for any help.

  yes you can do the Authentication to an RSA server and the Authorization to the LDAP server.
  Please configure LDAP as an authorization server.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
  Do let me know how it goes.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Error while adding LDAP group

  Hi, I configured LDAP authentication on BOXI R2 SP3 on IIS. The settings are as given below.
  To change a setting, click on the value to start the LDAP Configuration Wizard.  I have replaced few entries with XXXX and YYYY due to security.
  LDAP Hosts: nccXXX.XXX.YYYY.XX.YY:636
  LDAP Server Type: Novell eDirectory
  Base LDAP Distinguished Name: ou=XXXXX,dc=YY
  LDAP Server Administration Distinguished Name: cn=XXX,o=YYYYY
  LDAP Referral Distinguished Name: ""
  Maximum Referral Hops: 0
  SSL Type: Server Authentication
  Server Side SSL Strength: Always accept server certificate
  Single Sign On Type: None
  When I add any new group then its not added and I get below error message in the Logging directory  for WCA.
  Error: 2009-08-24 14:56:30, Thread:161, WriteData::_Flush catch unexcepted exception, source: System.Web, message: Specified argument was out of the range of valid values.
  Parameter name: offset, stack:    at System.Web.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 count)
     at BusinessObjects.Enterprise.WebComponentAdapter.WriteData._Flush(IntPtr handle)
  Can anyone help to find if LDAP is configured correctly before adding group?
  Thanks,

  Resolved. It was due to wrong LDAP group given to me.
  Thanks,