Ironport WSA AV scanning

Similar Messages

• End-user notification is not working for one of the untagorized HTTPS webistes on IronPort WSA

  When users try to access the URL https://cloud.skytap.com/tools/connectivity they are getting 'Internet Explorer cannot display the webpage' instead of regular IronPort WSA end-user-notification. This URL is currently uncategorized. Please advice.

  Yes, we have set drop all the uncategorized URLs. We do get end-user-notifications for HTTP websites which are uncategorized.
  However, if any of the HTTPS websites which are uncategorized, then we wont get end-user-notification.

• ACE working with IronPort WSA server farm

  We have an ACE load balancing a group of Ironport WSA. The WSA are working with the feature IP Spoofing, then the request to WWW has the source ip address of the WSA client and not the WSA itself.
  We follow the documento behind, but it is not working. When the packet coming from Internet having the destination address the WSA client address, the ACE can not delivery the packet even with the mac-sticky configured.
  I read in other forum that ACE needs to have in its arp table or route table the destination IP address for being able to deal with the packet by the encapid.
  But we don't have this entry in the arp table.
  When we configure the WSA with IP spoofing and the source ip address is the WSA itself the configuration works fine.
  Some have this kind of problem in some ocasion?
  Thank you,
  Everaldo

  Hi Jorge,
  The behavior is when we have IP Spoofing configured in the WSAs, the connection is not established. The ACE establishes the connection with the client but the connection with Internet is not established. I captured the packets that arrive in the ACE coming from Internet and I see SYN packets with source address as a public IP (Google) and the destination address as the internal client IP address with no ACK just RST.
  With no IP Spoofing, meaning that the ip source address is tha WSA the connection is established with no RST.
  Follow the output the commands:
  show service-policy WSA-VIPS class-map WSA_VIP_TCP_3128 detail
  Status     : ACTIVE
  Description: -----------------------------------------
  Interface: vlan 304
    service-policy: WSA-VIPS
      class: WSA_VIP_TCP_3128
       VIP Address:                              Protocol:  Port:
       10.10.193.25                              tcp    eq   3128
        loadbalance:
          L7 loadbalance policy: WSA-POLICY
          VIP Route Metric     : 77
          VIP Route Advertise  : ENABLED-WHEN-ACTIVE
          VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
          VIP State: INSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: DISABLED
          curr conns       : 3         , hit count        : 1260
          dropped conns    : 4
          conns per second    : 0
          client pkt count : 19271     , client byte count: 2326106
          server pkt count : 26140     , server byte count: 16572023
          conn-rate-limit      : 0         , drop-count : 0
          bandwidth-rate-limit : 0         , drop-count : 0
          L7 Loadbalance policy : WSA-POLICY
            class/match : class-default
              LB action :
                 primary serverfarm: WSA_FARM
                      state: UP
                  backup serverfarm : -
              hit count        : 1260
              dropped conns    : 0
              compression      : off
        compression:
          bytes_in  : 0                          bytes_out : 0
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0
          Content size: 0               Content type       : 0
          Not HTTP 1.1: 0               HTTP response error: 0
          Others      : 0
  switch/WSA# show probe WSA_TCP_3128
  probe       : WSA_TCP_3128
  type        : TCP
  state       : ACTIVE
     port      : 3128         address   : 0.0.0.0
     addr type : -            interval  : 5       pass intvl  : 10
     pass count: 3            fail count: 30      recv timeout: 10
                  ------------------ probe results ------------------
     associations     ip-address         port porttype probes failed passed health
     ------------ ----------------------+----+--------+------+------+------+------
     serverfarm  : WSA_FARM
       real      : WSA-01[0]
       real      : WSA-02[0]
                            10.10.193.37 3128 PROBE   15076  72     15004  SUCCESS
       real      : WSA-03[0]
       real      : WSA-04[0]
       real      : WSA-05[0]
       real      : WSA-06[0]
       real      : WSA-07[0]
       real      : WSA-08[0]
       real      : WSA-09[0]
       real      : WSA-10[0]
  switch/WSA# show probe WSA_TCP_3128 detail
  probe       : WSA_TCP_3128
  type        : TCP
  state       : ACTIVE
  description :
     port      : 3128         address   : 0.0.0.0
     addr type : -            interval  : 5       pass intvl  : 10
     pass count: 3            fail count: 30      recv timeout: 10
     conn termination : FORCED
     expect offset    : 0         , open timeout     : 3
     expect regex     : -
     send data        : -
                  ------------------ probe results ------------------
     associations     ip-address         port porttype probes failed passed health
     ------------ ----------------------+----+--------+------+------+------+------
     serverfarm  : WSA_FARM
       real      : WSA-01[0]
       real      : WSA-02[0]
                            10.10.193.37 3128 PROBE   15088  72     15016  SUCCESS
     Socket state        : CLOSED
     No. Passed states   : 2         No. Failed states : 1
     No. Probes skipped  : 0         Last status code  : 0
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err :  -
     Last probe time     : Mon Sep  3 21:06:47 2012
     Last fail time      : Mon Sep  3 20:45:05 2012
     Last active time    : Mon Sep  3 20:45:57 2012
       real      : WSA-03[0]
       real      : WSA-04[0]
       real      : WSA-05[0]
       real      : WSA-06[0]
       real      : WSA-07[0]
       real      : WSA-08[0]
       real      : WSA-09[0]
       real      : WSA-10[0]
  Thank you,
  Everaldo

• IronPort WSA with Authentication unable to access 2 character domain names with 2 character TLDNs

  I've discovered an issue requiring user authentication and some of the short url sites likes e2.ma will not load in Internet Explorer explicitly configured to go through an IronPort WSA. In testing with bogus domains (a.to, aa.to) it seems the issue is if the domain name is 1-2 characters and the top level domain name is also 2 characters long. Longer domains (aaa.to) work and return an IronPort error for DNS_FAIL. Does anyone know of a workaround to not have to allow all these as unauthenticated destinations?

  Support pointed me towards that KB article as well, but it is for IE 5 (and fixed in IE 6), but IE 8+ uses a TLD list from Microsoft (visible by using res://urlmon.dll/ietldlist.xml) and I don't control the external website. I'm going to try using an IP address surrogate instead of session cookies for these domains and see if that resolves this.

• IronPort WSA S650 Faild to acquire the server manifest

  Hello,
  I have a demo WSA S650 from cisco and the appliance can't download the definition updates and asyncos updates.
  IronPort WSA S650
  According:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10128/ps10154/eol_c51-716512.html
  The WSA is End of SW Maintenance Releases Date: December 31, 2012
  From cisco.com i can't find in download area of new asyncos version S650 series(the section for s650 is gone).
  When i try to update the appliance i get the error: Failed to acquire the server manifest
  From browser i go to : http://updates.ironport.com/fetch_manifest.html
  And after i insert the serial nr and version and i get the error:
  An error occurred.
  (('base', 'get_server_manifest', '851'), 'phone.base.ManifestError', 'Connection unexpectedly closed.', '[local_manifest|web_fetch_manifest|247] [local_manifest|assemble_manifest|299] [base|get_server_manifest|851]')
  I believe that this  WSA don't have the rights to download the updates definition webfiltering!

  It seems that the appliance don't care about update settings.
  I have setup that updates to be done by the data interface, all routes are checked and are OK, but the updates is not working.
  When i set up only one interface for management and data the updates was done right, so i suppose that the update was done on the management interface even i set up to be done on the data interface.

• QoS Cisco SCE8000, Caching Cisco IronPort WSA, Loadbalancing Cisco ACE solution

  Hi all,
  Our customer is a mobile operator. They need a integrated solution for caching, QoS and Loadbalancing in a combination. From my understanding of their goals, they need to providing stable and speedy broadband access as well as good user experience by the differentiation service offering. They need to classify IP traffic and prioritize and control of content-based services for a given subscriber while transparently and dynamically redirect and load balance the application level classified of IP traffic to a proxy caching server regardless of protocols such as http, https, ssl, ftp, flv, mms and rstp, sip, p2p....
  Attached pls find the RFP and technical specification for Caching and QoS.
  I appreciate your expertise to consult me whether I can propose for them the Cisco ACE standalone appliance or ACE engine module for 7600/6500 for loadbalancing, Cisco IronPort WSA for caching and dual Cisco SCE8000 for QoS as an integrated solution. Is this solution feasible/workable and where could I find the same reference or solution design or technical guidance on this?
  Thanks a lot and would like to hear from you at the soonest!
  Best regards,

• Any methods to simulate Cisco IronPort WSA appliance for practice

  Similar to GNS3 on which we can simulate ASA/Routers, same way any other methods to simulate Cisco IronPort WSA appliance for practice or testing? Please let me know. Thanks.

  You can download the virtual WSA. I have not tried it so I'm not sure how it works without a license.
  http://software.cisco.com/download/release.html?mdfid=284806698&flowid=41610&softwareid=282975114&release=7.7.5&relind=AVAILABLE&rellifecycle=GD&reltype=latest

• Request Sub-CA-Certificate for Ironport WSA

  How do I request a Sub-CA-Certificate for an Ironport WSA ? The GUI only offers the import of the public and private certificates to running the Ironport Proxy Appliance as a subordinate CA. The Root-CA is a Standalone CA from Microsoft.
  Thanks for your help.

  Here is the solution for this question:
  The steps to use the sample inf file are:
  run the command: certreq.exe -new certreq.inf cacert.req
  submit the cacert.req to your Root CA and issue the certificate and export the certificate to a file "newcacer.cer"
  install the certificate by running the command: certreq.exe -accept newcacer.cer
  export the certificate to a PFX file including the private key
  using openssl convert the PFX file to PEM format with the following steps:
            * extract the certificate file (the signed public key) from the pfx file:
              openssl pkcs12 -in PFXFilename.pfx -out SubCA_PubCert.pem -nodes -nokeys -clcerts
            * extract private key from a pfx file and write it to PEM file:
              openssl pkcs12 -in PFXFilename.pfx -out SubCA_PrivKey_encrypted.pem -nocerts
            * remove the password from the private key file:
              openssl rsa -in SubCA_PrivKey_encrypted.pem -out SubCA_PrivKey_unencrypted.pem
  That's all. Then you can import the Sub-CA-Cert and the private key into the Ironport WSA. All the copied certificates issued by the Sub-CA of the Ironport Web Security Appliance will now trusted by the client (if the Root-CA is trusted on the client).
  Sample for the INF-File:
  [Version]
  Signature="$Windows NT$"
  [Strings]
  CACN = "Issuing CA"
  [NewRequest]
  Subject = "CN=%CACN%"
  Exportable = True
  MachineKeySet = True
  KeyLength = 2048
  KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
  KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
  KeyContainer = "%CACN%"
  [Extensions]
  2.5.29.19 = "{text}ca=1&pathlength=0"
  Critical = 2.5.29.19

• Replacing MS ISA proxy with IronPort WSA proxy - ISA firewall client?

  Replacing MS ISA proxy with IronPort WSA proxy - what about the ISA firewall client?
  Does Cisco have an equivalent of the Microsoft ISA Firewall Client?
  How does WSA handle complex protocols (such as ftp) through the proxy server?

  We are replacing MS ISA proxy servers with IronPort WSA S370 proxy servers.
  We have several apps that make use the MS firewall client.
  The MS firewall client enables HTTP-tunneling of TCP & UDP through the ISA proxy servers instead of going through firewalls.
  These apps use various ports - and there are rules setup on the ISAs specifially for these apps and their ports.
  Also we have serveral uses of RPD, telnet, and SSH using the firewall client to HTTP-tunnel through the proxy servers -- and these have  specific ISA rules setup for them too.
  I can find HTTP-tunneling software - commercial and freeware - but can't find any that I think will work through the IronPort WSA S370 proxy servers.
  Would like to find someone who has implemented HTTP-tunneling using IronPort WSA 370 proxy servers.
  Thanks again for your input.

• Is it Support Network News Transfer Protocol On Cisco Ironport WSA S670?

  Hi,
  I have an issue whith a costumer with Cisco Ironport WSA S670, my question is if the WSA support NNTP?
  Thanks
  Alex Juache

  Hi Alejandro,
  The WSA does not support NNTP.
  Sincerely,
  Erik Kaiser
  WSA CSE
  WSA Cisco Forums Moderator

• IronPort WSA management through Security Management Appliance

  Hi,
  I have two identically configured (policies) IronPort WSA S670 appliances running 7.5.0-833 and both added in SMA M670 management appliance running 7.9.1-102. Appliance A has McAfee license expired. Newly installed appliance B has Mcafee running for 28 more days. "Sophos" is enabled on both and working good. Config Master 7.5 was built based on the config from appliance A.
  Now, when i want to push the Config Master to both the associated WSA, it fails on appliance B as "McAfee" is disabled in Config Master but enabled on it. The setting "Security Services Display" in M670 was changed to enable "McAfee" but now appliance A fails giving a mis-match error on publishing.
  How to workaround this ? Can McAfee license/feature key on appliance B be expired / disabled now without waiting 28 days to let it expire.
  Thanks,
  Rick.

  Hello Rick,
  You can disable Mcafee globally on the SMA by going to :
  GUI -> Web -> Utilities -> Security Services Display -> Edit Display Settings-> Under Configuration Master 7.5 ->
  Do your Web Appliances have McAfee Anti-Malware enabled? -> Uncheck the box and submit.
  Also, Disable Mcafee on the appliance that thas 28 days of the licenses left, This way Mcafee will be disabled on all your boxes.
  I hope this helps.
  Regards,
  -Puja

• Ironport WSA - Management interface

  Hello,
  I have installed one Ironport WSA appliance for my customer.
  I would configure the following interface :
  -M1 : for the management
  -P1 : for the production interface
  -T1 : for L4 inspection
  I have specified a default route for M1 and P1.
  When I tryed to ping Internet or perform an update of the WSA, I watched the request exit by the M1 interface.
  It doesn't work because the management network can't exit in Internet (it's the policy of the customer).
  -It's normal that the upgrade of WSA and the ping exit by the M1 interface ?
  -If I want perform authentication in NTLM (with an AD domain) the request with the server and the client is performed with P1 or M1 ?
  -The upgrade of antivirus & sensor base use M1 or P1 ?
  -I thinked that M1 was only used for the management of the WSA (SSH and HTTPS).
  -How the WSA appliance can manage two default routes ?
  Can you give me more information about M1 and P1 and the role of each one ?
  Best Regards
  Cédric

  You can change the route that the update and upgrades use by going to System Adminstration>Upgrade and Update Settings.  Then click on the "Edit Update Settings".  You can pick the routing table/interface here.  By default its set to the managment interface.
  I'm fairly sure that the NTLM traffice from the WSA to the domain is via the managment interface.
  P1 is for the proxy traffic. Whatever way you get internet traffice to the box, it goes through P1, in and out (unless you use P2)
  M1 is for all of the other stuff: web management, ssh, updates, ldap/ntauth, etc.

• IronPort WSA S170 and Context directory agent

  Hello people and experts,
  I need your consultation regarding IronPort and CDA deployment.
  I couldn't find any information in internet...
  So my question is - if IronPort is AD domain member and Explicit forward proxy is planned to be used. Do I need CDA to be deployed? What will happen if I don't want to deploy CDA in my environment?
  As I understood CDA is useful when IronPort works as Transparent Proxy or if IronPort is not a member of the same domaiin as users.
  Please advise.

  The CDA eliminates the need for NTLM authentication.  Once a user logs onto their computer in the morning and authenticates to the domain, the CDA will have received a successful audit event/log that informs it that user X is signed on to IP address X.  When the WSA needs to find out who is on this IP address, instead of using NTLM to challenge the client machine, it will ask the CDA who signed on this particular IP address.  Once it gets the user name, the WSA will proceed as usual and query the AD to determine the group membership of that particular user.

• Apple iOS via Ironport WSA

  I'm hoping for some help with trying to authenticate Apple iOS devices via an Ironport S650.
  I'm authenticating devices to the corporate network successfully with NPS, however I'm frequently encountering authentication failures.
  In the authlogs I am seeing a number of messages such as:
  Tue Nov 20 14:08:14 2012 Info: PROX_AUTH : - : Login for user []\[[email protected]]@[DN6FXBA4DFJ1] failed due to [No such user]
  Tue Nov 20 14:27:40 2012 Info: PROX_AUTH : - : NTLM CRAP authentication for user [DOMAIN]\[ipad] returned NT_STATUS_INVALID_WORKSTATION (PAM: 7)Tue Nov 20 14:27:40 2012 Info: PROX_AUTH : - : Login for user [DOMAIN]\[ipad]@[DN6FXBA4DFJ1] failed due to [Invalid workstation}
  I have configured the iPad to use the proxy server on port 80 and entered a valid username (iPad) and password. On launching Safari, I am repeatedly prompted for a username and password still.
  Having done a little more reading, I gather that this is just the first of many issues I may encounter. As such, I'm keen to know if anybody has successfully deployed iPads connecting to the web via an Ironport appliance and if so what you would recommend.
  Thanks,
  Neil

  Hi Neil,
  How to process Apple QuickTime (MAC/OSX) requests via Cisco Ironport Web Security
  Appliance (WSA) if NTLM authentication is required?
  Environment:
  Cisco Ironport Web Security Appliance (WSA)
  NTLM authentication using the schemes "NTLMSSP" or "Basic or NTLMSSP"
  Mac OS X 10.5 (Leopard) / Mac OS X 10.6 (Snow Leopard)
  Apple QuickTime (verified 7.6.5 / 7.6.6)
  Symptoms:
  The Mac OS X version of QuickTime fails to pass the NTLM authentication challenge and to fetch streaming
  content via WSA if either the NTLM scheme "NTLMSSP" or "Basic or NTLMSSP"
  has been selected. Executing QuickTime in embedded (browser) or standalone mode makes no difference.
  Solution:
  QuickTime for Mac OS X does not support the NTLM authentication schemes "NTLMSSP" and "Basic or NTLMSSP".
  QuickTime will establish connections once one of the following workarounds has been applied:
  (A) Disable authentication (Not recommended)
  (B) Change the global authentication scheme to NTLM "Basic (only)".
  (C) Create an authentication exception for the OSX QuickTime player using the
        custom user agent "QuickTime" or "QuickTime/VERSION" (QuickTime/7.6.6 for example).

• Ironport WSA Async OS upgrade

  Hi All,
  We are using ironport S670 with AsyncOS version 6.3.7-018 . We are planning to upgrade the Async OS to new version 7.5.0-826. As we are new to this WSA we need the procedure and steps to upgrde.
  Kindly someone helps us upgrading.
  Guru       

  If you go to the bottom of the email that you got from Cisco... its there...(I've copied the relevent section below)
  You REALLY need to read the release notes... There's a fair number of changes that you need to know about.
  For further information about this release, please refer to the AsyncOS Release Notes. The release notes are available on our Support Portal:
  WSA: http://www.cisco.com/en/US/products/ps10164/prod_release_notes_list.html
  SMA: http://www.cisco.com/en/US/products/ps10155/prod_release_notes_list.html
  If you do not have a Cisco.com User ID use this link to register.
  You will need to use your new or existing Cisco.com User ID. Once you have received your Cisco User ID, please link it to your Cisco Service Contract Number.
  Instructions for linking your account are located at:  http://www.ironport.com/support/vod2.html.
  Your Cisco Service Contract Number is xxxxxxx
  If you are concerned about an issue not listed there, please contact your authorized support provider to make an inquiry.
  How to Upgrade
  Prior to upgrading to this release, please read the Release Notes referenced above and save a copy of the configuration file somewhere other than on your appliance.
  Once you have read the Release Notes you may log into the command line of your IronPort Appliance as the 'admin' user, and type 'upgrade', or use the WebUI upgrade functionality in the 'System Administration' tab.
  You may upgrade directly to the highest version available in the displayed list.
  **NOTE** It is important that you follow the upgrade instructions available in the Release Notes. If you do attempt to upgrade and do not see the desired release version available, your appliance is likely not on a version allowed to upgrade directly. See 'Upgrade Paths' below.
  Upgrade Paths
  Please refer to the Release Notes for qualified upgrade paths.
  If your systems are on any other AsyncOS release, you will need to perform multiple upgrades as specified in the release notes. Only the immediate next step in the upgrade path will be shown to you, with the next revision being shown once you are at the approved level.