IronPort WSA management through Security Management Appliance
Hi,
I have two identically configured (policies) IronPort WSA S670 appliances running 7.5.0-833 and both added in SMA M670 management appliance running 7.9.1-102. Appliance A has McAfee license expired. Newly installed appliance B has Mcafee running for 28 more days. "Sophos" is enabled on both and working good. Config Master 7.5 was built based on the config from appliance A.
Now, when i want to push the Config Master to both the associated WSA, it fails on appliance B as "McAfee" is disabled in Config Master but enabled on it. The setting "Security Services Display" in M670 was changed to enable "McAfee" but now appliance A fails giving a mis-match error on publishing.
How to workaround this ? Can McAfee license/feature key on appliance B be expired / disabled now without waiting 28 days to let it expire.
Thanks,
Rick.
Hello Rick,
You can disable Mcafee globally on the SMA by going to :
GUI -> Web -> Utilities -> Security Services Display -> Edit Display Settings-> Under Configuration Master 7.5 ->
Do your Web Appliances have McAfee Anti-Malware enabled? -> Uncheck the box and submit.
Also, Disable Mcafee on the appliance that thas 28 days of the licenses left, This way Mcafee will be disabled on all your boxes.
I hope this helps.
Regards,
-Puja
Similar Messages
-
Ironport WSA - Management interface
Hello,
I have installed one Ironport WSA appliance for my customer.
I would configure the following interface :
-M1 : for the management
-P1 : for the production interface
-T1 : for L4 inspection
I have specified a default route for M1 and P1.
When I tryed to ping Internet or perform an update of the WSA, I watched the request exit by the M1 interface.
It doesn't work because the management network can't exit in Internet (it's the policy of the customer).
-It's normal that the upgrade of WSA and the ping exit by the M1 interface ?
-If I want perform authentication in NTLM (with an AD domain) the request with the server and the client is performed with P1 or M1 ?
-The upgrade of antivirus & sensor base use M1 or P1 ?
-I thinked that M1 was only used for the management of the WSA (SSH and HTTPS).
-How the WSA appliance can manage two default routes ?
Can you give me more information about M1 and P1 and the role of each one ?
Best Regards
CédricYou can change the route that the update and upgrades use by going to System Adminstration>Upgrade and Update Settings. Then click on the "Edit Update Settings". You can pick the routing table/interface here. By default its set to the managment interface.
I'm fairly sure that the NTLM traffice from the WSA to the domain is via the managment interface.
P1 is for the proxy traffic. Whatever way you get internet traffice to the box, it goes through P1, in and out (unless you use P2)
M1 is for all of the other stuff: web management, ssh, updates, ldap/ntauth, etc. -
Ironport Management appliance and smtp routes
Hi Guys,
I'm configuring M170 management appliance for two mail security Ironports (for centralized quarantine).
while going through the configuration, i have found that there is SMTP route can be configured, why do i need to configure SMTP route under the management appliance?
As i know it should be confgured on the Ironport email security appliances, but why on management? Do i need it?
Thanks & Regards,
RamiHi,
Thanks for your reply, just want to confirm, this is will be used even for end users Quarantine notification, correct?
I mean that Management appliance will send quarantine notifications to end users by using this smtp route, am i right?
Regards,
Rami -
Publish to a WSA from Management appliance Fails
I am trying to publish a configuration from my new M170 to a S160 and i get this error: "Failure: The Anti-malware settings must match to successfully publish." I checked and the settings are good any ideas.
Bob.
In the MSA, which security settings are turned on (Is Sophos on? Is McAfee on? etc) has to match what is actually enabled on the WSA you're pushing to.
Taken from 8-10 of the user guide:
To verify enabled features for a Web Security appliance:
Step 1 On the Security Management appliance, choose Web > Utilities > Web Appliance Status.
Step 2 Click the name of a Web Security appliance to which you will publish a Configuration Master.
Step 3 Scroll to the Security Services table.
Step 4 Verify that the Feature Keys for all enabled features are active and not expired.
Step 5 Compare the settings in the Services columns:
The Web Appliance Service column and the Is Service Displayed on Management Appliance? column should be consistent.
Enabled = Yes
Disabled and Not Configured = No or Disabled.
N/A means Not Applicable. For example, the option may not be configurable using a Configuration Master, but is listed so that you can see the Feature Key status.
Configuration mismatches will appear in red text.
Step 6 If the enabled/disabled settings for a feature do not match, do one of the following:
•Change the relevant setting for the Configuration Master. See Enabling Features to Publish, page 8-10.
•Enable or disable the feature on the Web Security Appliance. Some changes may impact multiple features. See the information about the relevant feature in the Cisco IronPort AsyncOS for Web Security User Guide.
I have put in an enhancement request for this to be manageable by the MSA, because I think its pretty dumb that you can't push this config from the MSA.
Hope that helps,
Ken -
Updating Security Management Appliance
Hello Support Community!
I would like to upgrade a Cisco Security Management Appliance (SMA) M160, former Ironport M-Series.
Current Version: 7.9.1-039
My Goal: 8.0.0-402
The 8.0.0-402 has released on March 28, 2013. The Problem is, when i am searching for available upgrades,
i get: "Error - No available upgrades"
There is no error with my firewall, because i can successfull check for new feature keys.
Any idea whats went wrong?
greets
ChristianYou can install a different cert for different process:
http://www.cisco.com/c/en/us/support/docs/security/content-security-management-appliance/118460-technote-sma-00.html
Certificates can be used for four different services:
Inbound TLS
Outbound TLS
HTTPS
LDAPS
When you say No, you'll just need to be prepared to enter in the separate certs as needed for each process. And, SMA is still CLI only for cert management.
-Robert -
Security Management Appliance - Multiple SSL Cert support.
Does anyone know if the SMA supports multiple SSL certs? We would like to create a cert for our users that access the Spam Quarantine that uses a different FQDN from what we have now for admin access.
I noticed in instuctions for importing certs into the SMA, that it does ask if you want to use that cert for everything, but I haven't found anything that elaborates on what options you have if you say NO. I'm guessing from that question that it allows for a different cert for a different function, but I'd like confirmation and maybe direction on how to implement.
Thanks in advance.You can install a different cert for different process:
http://www.cisco.com/c/en/us/support/docs/security/content-security-management-appliance/118460-technote-sma-00.html
Certificates can be used for four different services:
Inbound TLS
Outbound TLS
HTTPS
LDAPS
When you say No, you'll just need to be prepared to enter in the separate certs as needed for each process. And, SMA is still CLI only for cert management.
-Robert -
Exactly what can you manage centrally with the Management Appliance?
So, we're thinking of getting a pair of M1070 Management Appliances to work with our cluster of C360 mail appliances (AsyncOS 7.6).
It is not completely clear (a) which things can be centrally handled, and (b) which things can be handled in a redundant manner. It is also not clear how the redundancy works - are things copied to both all the time? If the primary management appliance goes down for a while, are the missed logs copied over from the secondary when it comes back? When the primary is down, does the secondary take over a virtual IP so that users will still go to the same URL for quarantines?
Logging, reporting, and message tracking all seem to be easily done centrally, and are duplicated to the redundant.
As far as I can tell, the spam quarantine can be centralised, and it seems that it is replicated to the secondary if you have AsyncOS>7.2. I can't tell if the safelist/blocklist is replicted between the two, though, and what happens in a failover situation, although it seems it is held centrally. I've seen conflicting information about this, one saying that secondaryconfig can duplicate spam quarantines, the other saying you need to do some sleight-of-hand with content filters to duplicate messages to both management quarantines.
Is there a way to make other quarantines on the management servers? We'd like to have our policy quarantine held centrally, and redundant, so that if we lose a datacentre we can still release policy-quarantined messages. I can't tell how you can set thisup.
Finally, we currently route our emails via the cluster of C360 mail appliances. Would we continue to do this (and they send logs, quarantines etc to the management appliances), or would we have to instead route our emails via the new managment appliances, which then forward them on to the C360s?
If anyone there has successfully set up a redundant management appliance setup I'd be keen to hear the details.I haven't set up redundant SMA's so I can't help much there... I'm reasonably sure that one acts as a backup destination for the other, but I may have that all wrong.
As far as what can be centralized, as of ESA 8.0.0 and SMA 8.1 (might still be FCS, you can request it from TAC), you can centralize Policy, Virus and Outbreak quarentines, along with the already available spam quarentine and message tracking... Set up the policies and quarentines on the ESAs, point the SMA at the two ESAs, and tell it to import the quarentines, and will bring over the data that's there and reconfig the ESA's to send the policy quarentined mail over, just like it does for the spam quarentine.
You would continue to route mail through the C360s. The M boxes don't do mail flow, other than centralizing the quarentines, and dealing with quarentine releases... -
Any methods to simulate Cisco IronPort WSA appliance for practice
Similar to GNS3 on which we can simulate ASA/Routers, same way any other methods to simulate Cisco IronPort WSA appliance for practice or testing? Please let me know. Thanks.
You can download the virtual WSA. I have not tried it so I'm not sure how it works without a license.
http://software.cisco.com/download/release.html?mdfid=284806698&flowid=41610&softwareid=282975114&release=7.7.5&relind=AVAILABLE&rellifecycle=GD&reltype=latest -
IronPort WSA S650 Faild to acquire the server manifest
Hello,
I have a demo WSA S650 from cisco and the appliance can't download the definition updates and asyncos updates.
IronPort WSA S650
According:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10128/ps10154/eol_c51-716512.html
The WSA is End of SW Maintenance Releases Date: December 31, 2012
From cisco.com i can't find in download area of new asyncos version S650 series(the section for s650 is gone).
When i try to update the appliance i get the error: Failed to acquire the server manifest
From browser i go to : http://updates.ironport.com/fetch_manifest.html
And after i insert the serial nr and version and i get the error:
An error occurred.
(('base', 'get_server_manifest', '851'), 'phone.base.ManifestError', 'Connection unexpectedly closed.', '[local_manifest|web_fetch_manifest|247] [local_manifest|assemble_manifest|299] [base|get_server_manifest|851]')
I believe that this WSA don't have the rights to download the updates definition webfiltering!It seems that the appliance don't care about update settings.
I have setup that updates to be done by the data interface, all routes are checked and are OK, but the updates is not working.
When i set up only one interface for management and data the updates was done right, so i suppose that the update was done on the management interface even i set up to be done on the data interface. -
Content filter on Cisco Email Security Virtual Appliance
Dear friend.
I have problem with Content Filter when configure Cisco Security Virtual Appliance.
You can see my rule on attachment picture.
But when I sent an email with subject : "RE: Nh? m? case l?i k?t n?i t? KH qua firewall Checkpoint", it's block by Content Filter "DenySubject"
I'm sure that in my Dictionary doesn't contains any word from this Subject.
Capture 3 is captured in Policy Quarantine.
Please help me to solve it asap.
Thanks so much.
Vinh PhanIt is not an issue with the virtual ESA. Using my vESA, I get the same results, using your "denysubject.txt" for custom dictionary...
Tue Jun 10 22:53:37 2014 Info: ICID 96 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
Tue Jun 10 22:53:37 2014 Info: Start MID 58 ICID 96
Tue Jun 10 22:53:37 2014 Info: MID 58 ICID 96 From: <[email protected]>
Tue Jun 10 22:53:37 2014 Info: MID 58 ICID 96 RID 0 To: <[email protected]>
Tue Jun 10 22:53:37 2014 Info: MID 58 Message-ID '<[email protected]>'
Tue Jun 10 22:53:37 2014 Info: MID 58 Subject 'RE: Nh? m? case l?i k?t n?i t? KH qua firewall Checkpoint'
Tue Jun 10 22:53:37 2014 Info: MID 58 ready 7764 bytes from <[email protected]>
Tue Jun 10 22:53:37 2014 Info: MID 58 matched all recipients for per-recipient policy mygmail_inbound in the inbound table
Tue Jun 10 22:53:37 2014 Info: MID 58 quarantined to "Policy" (content filter:DenySubject)
Tue Jun 10 22:54:36 2014 Info: ICID 96 close
Reviewing the contents --- one line is the culprit:
[NuocVIET], 1
Remove that one entry, and the dictionary works.
Tue Jun 10 23:34:19 2014 Info: New SMTP ICID 117 interface Management (172.16.6.165) address 172.16.6.1 reverse dns host unknown verified no
Tue Jun 10 23:34:19 2014 Info: ICID 117 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
Tue Jun 10 23:34:19 2014 Info: Start MID 91 ICID 117
Tue Jun 10 23:34:19 2014 Info: MID 91 ICID 117 From: <[email protected]>
Tue Jun 10 23:34:19 2014 Info: MID 91 ICID 117 RID 0 To: <[email protected]>
Tue Jun 10 23:34:19 2014 Info: MID 91 Message-ID '<[email protected]>'
Tue Jun 10 23:34:19 2014 Info: MID 91 Subject 'RE: Nh? m? case l?i k?t n?i t? KH qua firewall Checkpoint'
Tue Jun 10 23:34:19 2014 Info: MID 91 ready 4505 bytes from <[email protected]>
Tue Jun 10 23:34:19 2014 Info: MID 91 matched all recipients for per-recipient policy mygmail_inbound in the inbound table
Tue Jun 10 23:34:19 2014 Info: MID 91 queued for delivery
Tue Jun 10 23:34:19 2014 Info: New SMTP DCID 39 interface 172.16.6.165 address 173.37.93.161 port 25
Tue Jun 10 23:34:19 2014 Info: DCID 39 TLS success protocol TLSv1 cipher RC4-SHA
Tue Jun 10 23:34:20 2014 Info: Delivery start DCID 39 MID 91 to RID [0]
Tue Jun 10 23:34:20 2014 Info: Message done DCID 39 MID 91 to RID [0]
Tue Jun 10 23:34:20 2014 Info: MID 91 RID [0] Response '2.0.0 s5B3YLna030140 Message accepted for delivery'
Tue Jun 10 23:34:20 2014 Info: Message finished MID 91 done
Tue Jun 10 23:34:25 2014 Info: DCID 39 close
I hope this helps!
-Robert
(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!) -
Request Sub-CA-Certificate for Ironport WSA
How do I request a Sub-CA-Certificate for an Ironport WSA ? The GUI only offers the import of the public and private certificates to running the Ironport Proxy Appliance as a subordinate CA. The Root-CA is a Standalone CA from Microsoft.
Thanks for your help.Here is the solution for this question:
The steps to use the sample inf file are:
run the command: certreq.exe -new certreq.inf cacert.req
submit the cacert.req to your Root CA and issue the certificate and export the certificate to a file "newcacer.cer"
install the certificate by running the command: certreq.exe -accept newcacer.cer
export the certificate to a PFX file including the private key
using openssl convert the PFX file to PEM format with the following steps:
* extract the certificate file (the signed public key) from the pfx file:
openssl pkcs12 -in PFXFilename.pfx -out SubCA_PubCert.pem -nodes -nokeys -clcerts
* extract private key from a pfx file and write it to PEM file:
openssl pkcs12 -in PFXFilename.pfx -out SubCA_PrivKey_encrypted.pem -nocerts
* remove the password from the private key file:
openssl rsa -in SubCA_PrivKey_encrypted.pem -out SubCA_PrivKey_unencrypted.pem
That's all. Then you can import the Sub-CA-Cert and the private key into the Ironport WSA. All the copied certificates issued by the Sub-CA of the Ironport Web Security Appliance will now trusted by the client (if the Root-CA is trusted on the client).
Sample for the INF-File:
[Version]
Signature="$Windows NT$"
[Strings]
CACN = "Issuing CA"
[NewRequest]
Subject = "CN=%CACN%"
Exportable = True
MachineKeySet = True
KeyLength = 2048
KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
KeyContainer = "%CACN%"
[Extensions]
2.5.29.19 = "{text}ca=1&pathlength=0"
Critical = 2.5.29.19 -
IronPort WSA with Authentication unable to access 2 character domain names with 2 character TLDNs
I've discovered an issue requiring user authentication and some of the short url sites likes e2.ma will not load in Internet Explorer explicitly configured to go through an IronPort WSA. In testing with bogus domains (a.to, aa.to) it seems the issue is if the domain name is 1-2 characters and the top level domain name is also 2 characters long. Longer domains (aaa.to) work and return an IronPort error for DNS_FAIL. Does anyone know of a workaround to not have to allow all these as unauthenticated destinations?
Support pointed me towards that KB article as well, but it is for IE 5 (and fixed in IE 6), but IE 8+ uses a TLD list from Microsoft (visible by using res://urlmon.dll/ietldlist.xml) and I don't control the external website. I'm going to try using an IP address surrogate instead of session cookies for these domains and see if that resolves this.
-
QoS Cisco SCE8000, Caching Cisco IronPort WSA, Loadbalancing Cisco ACE solution
Hi all,
Our customer is a mobile operator. They need a integrated solution for caching, QoS and Loadbalancing in a combination. From my understanding of their goals, they need to providing stable and speedy broadband access as well as good user experience by the differentiation service offering. They need to classify IP traffic and prioritize and control of content-based services for a given subscriber while transparently and dynamically redirect and load balance the application level classified of IP traffic to a proxy caching server regardless of protocols such as http, https, ssl, ftp, flv, mms and rstp, sip, p2p....
Attached pls find the RFP and technical specification for Caching and QoS.
I appreciate your expertise to consult me whether I can propose for them the Cisco ACE standalone appliance or ACE engine module for 7600/6500 for loadbalancing, Cisco IronPort WSA for caching and dual Cisco SCE8000 for QoS as an integrated solution. Is this solution feasible/workable and where could I find the same reference or solution design or technical guidance on this?
Thanks a lot and would like to hear from you at the soonest!
Best regards, -
Cisco Web Security Virtual Appliance Demo license?
Is there a demo license available to test Cisco Web Security Virtual Appliance?
Regards.Thank you so much Kasper! You are an angel fallen from heaven!
Just 1 question, when I am ready to get the License appears the next information, do you know if the number 1 in the Qty column means 1 demo for just 1 user? Or do you know if I can get 1 demo for many users?
Regards!
NA
SKU Name
Qty
Ordered
Available
Quantity Added
-->License Start Date:
License End Date:
1
WSA-WSP-45D
1-->
1
-->1
03/13/2014
04/27/2014 -
Replacing MS ISA proxy with IronPort WSA proxy - ISA firewall client?
Replacing MS ISA proxy with IronPort WSA proxy - what about the ISA firewall client?
Does Cisco have an equivalent of the Microsoft ISA Firewall Client?
How does WSA handle complex protocols (such as ftp) through the proxy server?We are replacing MS ISA proxy servers with IronPort WSA S370 proxy servers.
We have several apps that make use the MS firewall client.
The MS firewall client enables HTTP-tunneling of TCP & UDP through the ISA proxy servers instead of going through firewalls.
These apps use various ports - and there are rules setup on the ISAs specifially for these apps and their ports.
Also we have serveral uses of RPD, telnet, and SSH using the firewall client to HTTP-tunnel through the proxy servers -- and these have specific ISA rules setup for them too.
I can find HTTP-tunneling software - commercial and freeware - but can't find any that I think will work through the IronPort WSA S370 proxy servers.
Would like to find someone who has implemented HTTP-tunneling using IronPort WSA 370 proxy servers.
Thanks again for your input.
Maybe you are looking for
-
PhotoSmart 6510 e All-IN-ONE Series HP Printer
My HP Photosmart 6510 e-All- In -One printer suddenly stoped coping, and delivers blank pages. When I print from my laptop the printer works but the quality is poor; printing faded out areas within the printed-out paper process. I tries cleaning th
-
i just bought a new iphone 4S and i had an ipod touch and when i went to sync my iphone to my itunes by plugging it in that message pops up how this phone cannot be used because the apple iphone device is not yet activated. what do i do to activate i
-
Folder Icons not displaying in a new folder
Hello All, I created a new folder and moved icons into it. I used it for several days with no issues. Now, when I open the folder I can't see any icons. When I open the folder "Options" is listed at the bottom. When I click the menu button, my only o
-
Convert XString to String and String to IWDResource
Hi everybody, we want to open a PDF-Document from Backend in Web Dynpro. For the communication we use a Web Service. In Backend we have a PDF-Document with data type XSTRING. 1. In Backend we convert the PDF-Document from XSTRING to STRING in order t
-
Performance of OBIEE report whereas SQL query behind it executed in 1-2 min
Facing lot of performance issues in OBIEE reports, whereas SQL query behind the report fetch data in 2-3 minutes. Reprot take around 1-2 hrs. Can anyone help to resolve this please?