Cisco WSA Versus Proxy

Similar Messages

• Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP router ?

  Hello !
  I would like to use Cisco WSA as a web proxy in a transparent way (without any configuration in client's web browsers) but i don't have a WCCP router. So, is it possible ? 
  If yes, how to do this ? 
  Thank you,
  Stephane Walker

  Hi Stephane
  The only alternative to WCCP is PBR (Policy Based Routing). With a simple configuration on the router you can redirect traffic defined as interesting by access list to WSA. On the WSA you need to configure transparent mode (Security Services -> Web Proxy -> Edit Settings -> Proxy Mode: Transparent). You also need to assure that proxy is listening on the port 80 and that HTTPS proxy is enabled (on port 443) if you want to redirect the HTTPS traffic as well. 
  Sample configuration for Cisco router
  access-list 110 permit tcp any any eq www
  route-map proxy-redirect permit 10
  match ip address 110
  set ip next-hop xxx.xxx.xxx.xxx
  interface ethernet0/1
  ip policy route-map proxy-redirect
  xxx.xxx.xxx.xxx is the proxy IP in such case and access-list 110 defines web traffic (HTTP TCP/80) as interesting.
  The biggest disadvantage of such solution is lack of failure detection. If the proxy will go down for some reason router will keep redirecting the traffic causing internet access outage.
  Routers other than Cisco equipment should also have an option to configure policy based routing.
  /Artur
  Ps. It's not possible to place the WSA in-line between clients and the internet.

• Cisco WSA https inspection capability?

  Hello, 
  does a Cisco WSA has the capability of inspecting HTTPs traffic like Internet-Proxy servers do

  yes.
  Here's a doc on how to set up the WSA, it has a section on doing HTTPS:
  https://supportforums.cisco.com/sites/default/files/attachments/discussion/sba_mid_bn_websecuritydeploymentguide-h1cy11_1.pdf

• How to check if Cisco WSA is already blocking the malicious sites?

  How to check if Cisco WSA is already blocking the malicious sites? 

  Depends on what you mean, but in general what you did will not work.
  The usual intent of RMI is to have several processs running and all of them use one process as the repository.
  A static value is only visible in one VM instance thus it will not be visible in another process.
  So in that situation you could check if the the server socket that the RMI using is open. But just catching the exception, presuming that you catch the correct one, is also sufficient.

• How to create multiple sip trunks between cucm and cisco unified sip proxy

  Dear Expert,
  Is there a way to create multiple sip trunks between CUCM and Cisco Unified SIP Proxy (CUSP)? How to achieve it without creating multiple IP interfaces on the CUSP module.
  CUCM: 8.5.1.10000-9
  CUSP: 8.5.2
  Thank you,
  .wan

  Hello Michael,
  This SIP trunk is part of UCCE solution, which used between CVP, CUSP, and CUCM.
  The requirements:
  1) To have different codecs for different type of calls, as the phones are at few countries
  2) To pass different number of digits from CUSP to CUCM for different call treatments
  .wan

• Cisco WSA S170 AsynOS 7.5.2 LDAP group query debug

  Dear support forum members,
       I have some problems with the Cisco WSA S170 (AsynOS 7.5.2). It looks like a bug. I have two users in my Active Directory(AD), both of them are members of the InternetGrp6 AD group, both of them are in the same organization unit in the AD tree, but WSA could not identify that one of them member of the InternetGrp6.
       I understand that WSA do this over the LDAP query to AD controller, but I could not found the way how do I debug LDAP query. This will give me ability to find out what happened during the user group LDAP query.
  Thanks in advance!
  Best regards,
  Alexander.
  P.S. Sorry for my English.

  Hi,
  First of all I would like to thank you for assistance!
  It is a pity, but I received  "Unknown command: ldapsearch" in the SSH CLI session.
  AsyncOS 7.5.2 for Web build 304 installed.
  Best regards,
  Alexander.

• Cisco ISE - radius proxy

  Hi,
  Is the following possible:
  - let the ISE do the authentication and then proxy to another radius server which does the authorization.
  At the moment we have a freeradius server that does the following:
  1) authenticates 802.1x requests (eap-tls)
  2) during authorization the server checks an external database that determines the vlan that should be returned (in radius attribute) based on originating switch and/or mac address.
  I am checking if I can migrate to ISE but then the above would have to work.
  For MAB I can easily do authentication/authorization on freeradius so I will proxy MAB requests to there.
  regards
  Thomas

  ISE acts as a RADIUS proxy server by proxying the requests from a network access  device (NAD) to a RADIUS server. The RADIUS server processes the request and  returns the result to Cisco ISE. Cisco ISE then sends the response to the  NAD
  FYI
  you can use the RADIUS server sequences to proxy the requests to a  RADIUS server.
  The RADIUS server sequence strips the domain name from the  RADIUS-Username attribute for RADIUS authentications. This domain stripping is  not applicable for EAP authentications, which use the EAP-Identity attribute.  The RADIUS proxy server obtains the username from the RADIUS-Username attribute  and strips it from the character that you specify when you configure the RADIUS  server sequence. For EAP authentications, the RADIUS proxy server obtains the  username from the EAP-Identity attribute. EAP authentications that use the  RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username  values are the same.

• Cisco WSA : What is RADIUS CLASS attribute ?

  Hello !
  I am trying to use a radius server Cisco ISE as an external authentication server for WSA. I would like to assign roles for groups of users but i don't understand the meaning of RADIUS CLASS attribute. What am I supposed to write in this field ?
  Thank you,
  Stéphane Walker

  The CLASS attribute is generic, in that you can put anything in it.   So you get to decide what you use.
  On your RADIUS box, for the users or group that it applies to, set it to something like "WSAAdmin" for admins, "WSARO" for read only users... 
  Then when you config the WSA, you set them appropriately there...  
  But you can really use any string you want to, they just need to match appropriately.
  HTH, 
  Ken

• Cisco WSA able to block TOR Browser?

  hi all,
  We have a WSA in the network as a transparent proxy.
  Is there a way for WSA to block the use of TOR Browser?
  Also is it possible to limit torrent bandwidth too

  Hi Guys,
  * Requiring NTLM auth in explicit proxy mode stops it cold - this is
  just a missing feature in TOR.
  * If you disable auth, or use Basic auth, then requiring that SSL
  destinations have server certs signed by known CA's will stop it.  (This
  works regardless of the decryption reputation, as the WSA always appears
  to check this in explicit mode when configured.)
  * If you disable the above two methods, the "filter avoidance" URL
  category is only effective against the initial "find directory servers"
  boot-up.  If we miss one, or the client has this info cached from
  before, the URL category is not effective.
  * Another method that would be effective would be to block all browsing
  by IP address; however, this has a pretty good chance of false
  positives.
  Notice that the above will only work if all egress ports which are not proxied are blocked. TOR will attempt to go outbound on higher ports; if you are not blocking these (eg on the Firewall), it becomes nearly impossible to effectively block TOR.

• IDOC versus Proxy - many standard-Prozesses

  Hallo everybody,
  this topic is discussed already quite often. Anyway one more point:
  Following situation: SAP/R3 implementation basing on ERP2004 using many standard process. It is to implemente an interface to a storage system, so many standard information like delivery, material master, goods movements and so on have to be transferred. The easy possiblity would be to use the standard idocs and expand them with some customer specific fields und use the message control to send the idocs in dependence from certain process steps.
  Alternatively I could develop proxies with all the known advantages (performance, overhead etc.).
  The proxies could use BAPIs and so the development effort would be ok, but what about the processing of the proxy? Do I have to implement this manually or trigger them by a workflow-event? What about reprocessing? If an proxy message could not be executed because of professional incorrect data (for example EDI-Data coming from customer have incorrect material number, etc.)? This check can only be done by SAP/R3 backend and not XI. Idocs could be reprocessed manually after correcting the data.
  Has anybody of you some experience or some recommendation for me? Prefering IDOC with Adapter?? Thank you very much!

  hi,
  >>>>Do I have to implement this manually or trigger them by a workflow-event?
  yes
  >>>This check can only be done by SAP/R3 backend and not XI. Idocs could be reprocessed manually after correcting the data.
  not true, you can do it in the XI and restart the process in the XI (we19 = test tab in rwb)
  (both are not recommended)
  BTW
  if you're using a storage system (some sofr of a warehouse ) then
  DWMS scenario (based on idocs) seems to be
  the best solution and it's a very well known standard
  Regards,
  michal

• What is required for Cisco WSA SensorBase network to work ?

  Hello !
  I would like to know if the Web Security Appliance has to have a public address to receive the data collected by SensorBase network.
  Is there any additional requirements ?
  Thank you for your answers.
  Stephane Walker

  Hi Stephane,
  The WSA will somehow connected to the Internet directly or via a firewall with your external IP address in the egress point.
  SensorBase participation is working via URL via wbnp.ironport.com:443
  Depending on your routing, you can test if your WSA can reach this URL from its interface.
  I hope this helps.
  thanks,
  Donny
  (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

• Cisco WSA : no data found in L4 traffic monitor summary

  Hello !
  Does L4 traffic monitor only display rogue traffic ? Because, I made a packet capture on the T1 interface and i saw that there was a lot of traffic but in the overview, no data was found in the field "L4 Traffic Monitor Summary". Is it normal ? There is a screenshot in enclosed files.
  Thank you,
  Stephane Walker

  UDP ports will not be blocked.
  The L4TM will use the T1 interface to detect traffic to destinations that are on its blacklist.  Once detected, the the data interface on the WSA will send a packet with the TCP reset flag to the client to prevent a TCP connection.
  I have not tested this so someone correct me if I am wrong.  I am answering this based on my understanding of the L4TM feature, and how it works.  Since UDP is connectionless, there is no connection for it to kill.
  Now this makes me wonder about the Monitor feature though.  But I am almost certain it will not block if the action is set to block.
  I'll check this out when I'm in the office and will get back to you.
  -Vance

• Cisco Unified SIP Proxy (CUSP) - call search features

  Is there a way to make a search  in CUSP based on the call fail SIP cause code? (GUI or cli based search) ?
  On the current GUI, you can display the failed calls and there is a SIP cause code field but manually searching for a failed call with a specific cause code seems impossible......

  HiAlyaza,
  So far i was not able to find the software for CUSP 9.0, i could not find any information if has any type of demo license which will allow me to test it. I even got in touch with one of the Cisco Professional Services team, he advised me that he has never seen this version yet. I am not sure if this is lately released version with no information yet or its something that Cisco Released then recalled. If you have any helpful information you can also send to me directly on my email [email protected] .
  Thanks for your support,
  Wafik

• Cisco Unified SIP Proxy CUSP 9.0 no support documents no software download

  Hello,
  I want to make a lab for UCCE 10.0, want to add CUSP. Noticed that the version currently recommended by Cisco is 9.0 which run virtualized. Don't want to invest in old SRE module and 2921 router to find the module EoL in 1-2 years. The problem is that I cannot find Support documents or software for CUSP 9.0. I need to know the following:-
  1- how to get the software
  2- does it uses a software activated (enforced) license or just a right-to-use license
  3- if license enforced, does it have a demo license to use in lab or I have to purchase a "request per second license"
  thanks for helping,
  wafik

  HiAlyaza,
  So far i was not able to find the software for CUSP 9.0, i could not find any information if has any type of demo license which will allow me to test it. I even got in touch with one of the Cisco Professional Services team, he advised me that he has never seen this version yet. I am not sure if this is lately released version with no information yet or its something that Cisco Released then recalled. If you have any helpful information you can also send to me directly on my email [email protected] .
  Thanks for your support,
  Wafik

• Cisco WSA VM

  Hello,
  I have WSA VM , it is in  .vmdk file extention, but I cannot open it on my Windows Server PC.     Can any one guide me how to open the file please?
  Appreciate your help

  Duplicate posts.