Design guides for Ironport Web Security

Hi All,
I am looking for a proxy solution for our enterprise network, and considering Ironport WebSecurity S370 appliance.
I am just curious if there is any good design guides on how to properly implement Ironport on the network.
I need best practices documents, i.e.  can I place two units with one virtual IP address and so on.
Thanks!

WSA's don't cluster, with a shared virtual IP, how you handle mulitple WSA boxes is a function of how you're redirecting traffic to them.
     WCCP - you just add them as multiple WCCP destinations
     PAC file - you add seperate entries and the browser/app figures out which one is available.
     Policy Based Routing (eg. no Cisco router) - I'm not sure, as I've never done it.
You might be able to use a load balancer, but my feeling is that gets too complicated.
I used this to set up one box using WCCP
http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/H1CY11/SBA_Mid_BN_WebSecurityDeploymentGuide-H1CY11.pdf
There's a caveat when you use WCCP for 2 boxes, you need to tweak the ACL so that you don't get loops:
http://ironport.custhelp.com/cgi-bin/ironport.cfg/php/enduser/std_adp.php?p_faqid=1603&p_created=1278697344&p_sid=zzjbITyk&p_accessibility=0&p_redirect=0&p_srch=1&p_lva=772&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MzA4LDMwOCZwX3Byb2RzPTAmcF9jYXRzPTAmcF9wdj0mcF9jdj0mcF9zZWFyY2hfdHlwZT1hbnN3ZXJzLnNlYXJjaF9ubCZwX3BhZ2U9MSZwX3NlYXJjaF90ZXh0PW11bHRpcGxlIFdTQQ!!&p_li=cF91c2VyaWQ9MXJvblAwcnQmcF9wYXNzd2Q9Zm8wQmE1&p_topview=1

Similar Messages

  • Ironport web security appliance

    Hi,
    Just want to check if the IRONPORT
    S series web security appliances support
    failover/clustering of 2 boxes.
    thanks,

    Each Cisco IronPort web security appliance can be configured as a standalone proxy or to co-exist with other proxies (such as in a proxy hierarchy for conditional routing, failover and load balancing

  • Configure 2 Ironport web security boxes in HA mode

    Hi ALL,
    i want to ask something about ironport web security that how can i connect 2 boxes for HA.if top of that i have already 2 core switches in HSRP .
    Regards
    Prakash

    Prakash,
    HA for WSA boxes is a function of how you get the traffic to them.  If you're using explicit proxy, you can configure the PAC file for failover, or use DNS to resolve the proxy and let the DNS determine where to send it (DNS LB).  You could also use a web load balancer...
    If you're using WCCP, you could run that on the HRSP router or set it on your firewall(s).  If its on the router, you need to subscribe both WSA's to both routers, and make sure the access lists for the WCCP directed at one WSA don't process traffic from the other WSA.  (search the forum...) 

  • Cisco IronPort Web Security 7.5 (Async OS).

    Hi All,
    Can anybody provide me the W3C sample logs of Cisco IronPort Web Security 7.5 (Async OS).
    Thanks,
    Sachin.

    "05/Oct/2012:10:17:00 +0200" 2152 NONE - 10.0.0.1 NONE 504 0 GET http://www.cisco.com/index.html - ALLOW_CUSTOMCAT_11-Intranet_Access-Intranet_Access_RD-NONE-NONE-NONE-Intranet  "Intranet"

  • Ask the Expert: Service Delivery Manager for Cloud Web Security with Alex Chan

    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the recommended practices for Cisco Cloud Web Security (CWS).  Cisco Cloud Web Security (CWS) provides industry-leading security and control for the distributed enterprise, with Cisco expert Alex Chan.
    October 27, 2014 through November 7, 2014.
    Learn how users are protected everywhere and anytime, when using CWS through Cisco worldwide threat intelligence, advanced threat defense capabilities, and roaming user protection. Create a virtual space to learn and ask questions about best practice when implementing Cloud Web Security offerings for various customer requirements and environments. Alex will also answer questions about Easy ID, CWS as SAML Service Provider, Deployment Options (such as ASA, ISR, WSA, Workgroup based Connector and AnyConnect Web Security agent.
    Remember to use the rating system to let Alex know if you have received an adequate response.
    Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

    Cisco CWS platform is one of the Cisco products that maintain collaboration with Cisco PSIRT, and there are few security vulnerabilities related to CWS were being monitored by PSIRT, which you can find out more about in: http://tools.cisco.com/security/center/home.x#~blog.
    Another Cisco entity known as "SenderBase" that is powered by Cisco Security Intelligence Operations (SIO) will provides a view into virus threat intelligence collected from CWS cloud traffics. For more information about "SenderBase", please visit this web site: http://www.senderbase.org

  • What are the different options for implementing web security?

    Hi,
    Right now I am working on an internet website. We are using JSP for presentation and running Weblogic Application Server. I want to know different options for implementing website security. One of the options that I am aware of is to use LDAP. But we donot want to go and buy a LDAP Directory Server now. So I would really appreciate if somebody could let me know my choices here.
    Thanks in advance.

    Hi,
    If you are working on a Windows 2000 platform, the most obvious choice would be Active Directory Server as this is shipped free with Server 2000. It is LDAP compliant, although does have a few differences that set it apart from the other X500 standard based solutions which I will mention in a moment. Details on these differences can be found at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdir/html/msdn_activedirvsnds.asp
    Other options are openldap, an open source implementation of an ldap server or iPlanet's Directory Server. If you are initially doing an evaluation, a trial version is available of the iPlanet software and can be downloaded from their site. I found this particularly easy to get to grips with and their is excellent documentation available. There is also an offering from Novell, but I have no experience of this.
    Hope this helps.
    Jon

  • Ironport Web Security self study guide

    Hi all,
    i need to prepare myself for some WSA-Projects and need some self study material.
    For the ESA i have the book 'Email Security with Ironport' (cisco press).
    But i cannot find anything in this type for the WSA.
    Has there anyone any recommendation?
    Thanks
    Christian

    Hi Chrisitian,
    Your best source for information on the WSA is going to be the user guide based on the AsyncOS version you plan to deploy.
    Sincerely,
    Erik Kaiser
    WSA CSE
    WSA Cisco Forums Moderator

  • Command line installation options for Ironport Email Security Plug-in

    We're getting ready to implement email encryption with our C160.  I want to deploy the Outlook plug-in to my users using SCCM.  According to the administrator guide I should be able to do this however I have downloaded the current version of the plug-in and it doesn't seem to support the command line options described in the administrator guide.  Specifically the /f1 switch (page 3-17 of admin guide) used to pass the setup.iss file doesn't work.  This command is then referenced to be used for the distribution package in SCCM.  I'm trying to use CiscoEmailSecurity-7-1-1-002.exe.
    Am I missing something?  Or has something changed in the deployment method?  Thanks for your help.

    Hi Scott,
    Can you include the exact syntax your using?
    it should look like this,
       Start /w CiscoEmailSecurity_7-1-1-002.exe /s /v /qn /f1"J:\install_711002.iss
    Christopher C Smith
    CSE
    Cisco IronPort Customer Support

  • Design Suggestions for Default Web Template

    I am starting to develop some web applications for 7.x and do not want to use the default BEx Web Template only because it offers so much functionality that either is too complicated for users, not needed by users, or we don't want them using.
    I am wondering how to approach this effort in developing a good default web template.  Does it make sense to use a default template since each query can be so different?
    Does anyone have any suggestions about what to include, exclude and why?  Any details about the template you designed would be greatly appreciated!
    Thanks

    Hi,
    Please refer the following URL:
    http://help.sap.com/saphelp_nw04/helpdata/en/44/b26a3b74a4fc31e10000000a114084/frameset.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/9f/281a3c9c004866e10000000a11402f/frameset.htm
    Thanks,
    Venkat

  • Design guide for integrating unigy with cisco HUCS 7.1.1 Environment

    Hi,
    I have a requirement to integrate unigy dealer board with cisco HUCS environment.  please provide if any design and  integration document is there.
    Regards,
    baskaran.M

    Fix you contact resolution to your LDAP and you'll get just that, what you're seeing right now is expected as the fact you get JID and not the friendly username, means you're not looking at LDAP.
    Right now you're also unable to dial, assuming you have softphone or deskphone control, from jabber as the DNs for the contact, are also brought over with the contact resolution from LDAP.
    Make sure you have SRVs, or manually configure the integration in jabber-config.xml.

  • Design guide for Nexus7K to support host to storage iSCSI traffic?

    Is there documentation available? I was not able to find one from Cisco site.      
    Thanks a lot          

    hey teater, we just turned on jumbo frames globally on the 3750x and used the switch for both ISCSI (on ISCSI vlan), voice and data on the approriate voice/data vlans. everythign worked well. even non-jumob frame traffice traversed switch fine. NOTE: we had not routed path into the ISCSI vlan of a firewall or router. it exsited just ont he 3750x stack. that kep potential jumbo frame issues to a minimum. ill ping the guy at that location to see how its working these days, aws im not there any more. intial rollout went well though.

  • Installation guide for SAP Web Application Server

    Hi guys
    'm new to ep can u tel how to install   SAP Web Application Server
    thanks
    regards
    kamal

    hi anup
    thanks
    In this some commands are used whether it is unix  r some other os.. can u tel me someother answers also..
    Edited by: kamal_ep on Apr 7, 2009 8:12 AM

  • Ask the Expert:Cisco Web Security

    With Ryan Wager
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn about design, configuration and troubleshooting of the Cisco Web Security Solutions including Cisco Ironport WSA and Cisco ScanSafe with Cisco experts Kiran Sirupa and Ryan Wager. Kiran Sirupa is a technical marketing engineer in the product marketing team for the Cisco IronPort Web Security Appliance product line. He also works on documentation, partner ,and system engineering training. Kiran has been working in the Cisco Security Technologies group for more than six years. Ryan Wager is a technical marketing engineer at Cisco in the product management team for the ScanSafe Web Security platform. He is heavily involved with the product's integration with the Cisco Integrated Services Router Generation 2 platform, along with documentation, training, and testing of all new products and features. Before joining the product management team, Wagner spent two years as an implementation engineer helping ScanSafe's largest customers implement the platform into their networks.
    Remember to use the rating system to let Kiran and Ryan know if you have received an adequate response.  
    They might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, discussion forum shortly after the event. This event lasts through October 7, 2011.. Visit this forum often to view responses to your questions and the questions of other community members.

    Yes, the IronPort WSA will support all the security functions including Anti-Virus, Anti-Malware, Anti-Spyware, Web Reputation when working in conjunction with an existing proxy.
    There are two conditions:
    1. WSA acts as an upstream proxy - In this case, the authentication will be handled by your existing proxy, but the WSA is the first layer of defense. The WSA will perform a lookup in its web reputation database based on the destination. Also, The WSA can scan the http response with Anti-Virus, Anti-SpyWare and Anti-Malware software. However, since the WSA doesn't have user authentication information, you can only apply global controls for Acceptable Use.
    2. WSA has to go through an existing upstream proxy - In this case, the WSA has all the security functionality. In addition, it also handles the authentication. Hence, you can apply role based controls.
    You may refer to the following links for more information:
    WSA Product Literature: http://www.cisco.com/en/US/products/ps10164/prod_literature.html
    Cisco Security Reports: http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html
    Cisco Security Intelligence Operations: http://tools.cisco.com/security/center/home.x

  • Request Sub-CA-Certificate for Ironport WSA

    How do I request a Sub-CA-Certificate for an Ironport WSA ? The GUI only offers the import of the public and private certificates to running the Ironport Proxy Appliance as a subordinate CA. The Root-CA is a Standalone CA from Microsoft.
    Thanks for your help.

    Here is the solution for this question:
    The steps to use the sample inf file are:
    run the command: certreq.exe -new certreq.inf cacert.req
    submit the cacert.req to your Root CA and issue the certificate and export the certificate to a file "newcacer.cer"
    install the certificate by running the command: certreq.exe -accept newcacer.cer
    export the certificate to a PFX file including the private key
    using openssl convert the PFX file to PEM format with the following steps:
              * extract the certificate file (the signed public key) from the pfx file:
                openssl pkcs12 -in PFXFilename.pfx -out SubCA_PubCert.pem -nodes -nokeys -clcerts
              * extract private key from a pfx file and write it to PEM file:
                openssl pkcs12 -in PFXFilename.pfx -out SubCA_PrivKey_encrypted.pem -nocerts
              * remove the password from the private key file:
                openssl rsa -in SubCA_PrivKey_encrypted.pem -out SubCA_PrivKey_unencrypted.pem
    That's all. Then you can import the Sub-CA-Cert and the private key into the Ironport WSA. All the copied certificates issued by the Sub-CA of the Ironport Web Security Appliance will now trusted by the client (if the Root-CA is trusted on the client).
    Sample for the INF-File:
    [Version]
    Signature="$Windows NT$"
    [Strings]
    CACN = "Issuing CA"
    [NewRequest]
    Subject = "CN=%CACN%"
    Exportable = True
    MachineKeySet = True
    KeyLength = 2048
    KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
    KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
    KeyContainer = "%CACN%"
    [Extensions]
    2.5.29.19 = "{text}ca=1&pathlength=0"
    Critical = 2.5.29.19

  • Need DMVPN design guide

    All,
    Can anyone tell me the link to download the design guide for DMVPN. I want a design solution example of sites having dual links to the Core. Thanks

    this is one of the best links regarding DMVPN
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps6658/prod_presentation0900aecd80313ca9.pdf
    good luck
    please if helpful rate

Maybe you are looking for