QoS Cisco SCE8000, Caching Cisco IronPort WSA, Loadbalancing Cisco ACE solution

Similar Messages

• Any methods to simulate Cisco IronPort WSA appliance for practice

  Similar to GNS3 on which we can simulate ASA/Routers, same way any other methods to simulate Cisco IronPort WSA appliance for practice or testing? Please let me know. Thanks.

  You can download the virtual WSA. I have not tried it so I'm not sure how it works without a license.
  http://software.cisco.com/download/release.html?mdfid=284806698&flowid=41610&softwareid=282975114&release=7.7.5&relind=AVAILABLE&rellifecycle=GD&reltype=latest

• Is it Support Network News Transfer Protocol On Cisco Ironport WSA S670?

  Hi,
  I have an issue whith a costumer with Cisco Ironport WSA S670, my question is if the WSA support NNTP?
  Thanks
  Alex Juache

  Hi Alejandro,
  The WSA does not support NNTP.
  Sincerely,
  Erik Kaiser
  WSA CSE
  WSA Cisco Forums Moderator

• Cisco Web Caching Solution

  Hi There,
  I need a high availability web caching solution for 500 users, preferential with proxy funcionality.
  Cisco had the Cisco Web Caching Engine, but it is End-of-Sales already. The new product that will replace the EOS product, is Wide Area Application Engine (WAE) plataforms. Is that right?
  The Cisco Global Price List has a SKU product SE512-IPROXY-K9 (Security / iProxy WAE-512 bundle, 1GB MEM, 1 250GB HDD Incl.).
  The question are:
  The SKU product SE512-IPROXY-K9 is the right product for my needs?
  What is the difference between the SKU SE512-IPROXY-K9 and the SKU WAE-512-K9?
  Regards,
  Pedro Vasques

  Hi Pedro,
  The WAE product line does WAN Optimization which includes HTTP optimization. The WAN Optimization solution works between two WAEs (one being at a Branch office and the other being at Data Center ). When employees at branch office tries to access resources like Servers at Data Center their TCP based traffic gets optimized. For more info pl go to http://www.cisco.com/go/waas
  Cisco's Web Caching was a different solution. It caches the web objects when first user goes to a given web site. The following user requests will be served locally as long as cache history is available for that web page.
  I suggest you contact either a Cisco partner or Cisco representative in your area.
  thanks
  Nat

• IronPort WSA S650 Faild to acquire the server manifest

  Hello,
  I have a demo WSA S650 from cisco and the appliance can't download the definition updates and asyncos updates.
  IronPort WSA S650
  According:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10128/ps10154/eol_c51-716512.html
  The WSA is End of SW Maintenance Releases Date: December 31, 2012
  From cisco.com i can't find in download area of new asyncos version S650 series(the section for s650 is gone).
  When i try to update the appliance i get the error: Failed to acquire the server manifest
  From browser i go to : http://updates.ironport.com/fetch_manifest.html
  And after i insert the serial nr and version and i get the error:
  An error occurred.
  (('base', 'get_server_manifest', '851'), 'phone.base.ManifestError', 'Connection unexpectedly closed.', '[local_manifest|web_fetch_manifest|247] [local_manifest|assemble_manifest|299] [base|get_server_manifest|851]')
  I believe that this  WSA don't have the rights to download the updates definition webfiltering!

  It seems that the appliance don't care about update settings.
  I have setup that updates to be done by the data interface, all routes are checked and are OK, but the updates is not working.
  When i set up only one interface for management and data the updates was done right, so i suppose that the update was done on the management interface even i set up to be done on the data interface.

• Replacing MS ISA proxy with IronPort WSA proxy - ISA firewall client?

  Replacing MS ISA proxy with IronPort WSA proxy - what about the ISA firewall client?
  Does Cisco have an equivalent of the Microsoft ISA Firewall Client?
  How does WSA handle complex protocols (such as ftp) through the proxy server?

  We are replacing MS ISA proxy servers with IronPort WSA S370 proxy servers.
  We have several apps that make use the MS firewall client.
  The MS firewall client enables HTTP-tunneling of TCP & UDP through the ISA proxy servers instead of going through firewalls.
  These apps use various ports - and there are rules setup on the ISAs specifially for these apps and their ports.
  Also we have serveral uses of RPD, telnet, and SSH using the firewall client to HTTP-tunnel through the proxy servers -- and these have  specific ISA rules setup for them too.
  I can find HTTP-tunneling software - commercial and freeware - but can't find any that I think will work through the IronPort WSA S370 proxy servers.
  Would like to find someone who has implemented HTTP-tunneling using IronPort WSA 370 proxy servers.
  Thanks again for your input.

• End-user notification is not working for one of the untagorized HTTPS webistes on IronPort WSA

  When users try to access the URL https://cloud.skytap.com/tools/connectivity they are getting 'Internet Explorer cannot display the webpage' instead of regular IronPort WSA end-user-notification. This URL is currently uncategorized. Please advice.

  Yes, we have set drop all the uncategorized URLs. We do get end-user-notifications for HTTP websites which are uncategorized.
  However, if any of the HTTPS websites which are uncategorized, then we wont get end-user-notification.

• ACE working with IronPort WSA server farm

  We have an ACE load balancing a group of Ironport WSA. The WSA are working with the feature IP Spoofing, then the request to WWW has the source ip address of the WSA client and not the WSA itself.
  We follow the documento behind, but it is not working. When the packet coming from Internet having the destination address the WSA client address, the ACE can not delivery the packet even with the mac-sticky configured.
  I read in other forum that ACE needs to have in its arp table or route table the destination IP address for being able to deal with the packet by the encapid.
  But we don't have this entry in the arp table.
  When we configure the WSA with IP spoofing and the source ip address is the WSA itself the configuration works fine.
  Some have this kind of problem in some ocasion?
  Thank you,
  Everaldo

  Hi Jorge,
  The behavior is when we have IP Spoofing configured in the WSAs, the connection is not established. The ACE establishes the connection with the client but the connection with Internet is not established. I captured the packets that arrive in the ACE coming from Internet and I see SYN packets with source address as a public IP (Google) and the destination address as the internal client IP address with no ACK just RST.
  With no IP Spoofing, meaning that the ip source address is tha WSA the connection is established with no RST.
  Follow the output the commands:
  show service-policy WSA-VIPS class-map WSA_VIP_TCP_3128 detail
  Status     : ACTIVE
  Description: -----------------------------------------
  Interface: vlan 304
    service-policy: WSA-VIPS
      class: WSA_VIP_TCP_3128
       VIP Address:                              Protocol:  Port:
       10.10.193.25                              tcp    eq   3128
        loadbalance:
          L7 loadbalance policy: WSA-POLICY
          VIP Route Metric     : 77
          VIP Route Advertise  : ENABLED-WHEN-ACTIVE
          VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
          VIP State: INSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: DISABLED
          curr conns       : 3         , hit count        : 1260
          dropped conns    : 4
          conns per second    : 0
          client pkt count : 19271     , client byte count: 2326106
          server pkt count : 26140     , server byte count: 16572023
          conn-rate-limit      : 0         , drop-count : 0
          bandwidth-rate-limit : 0         , drop-count : 0
          L7 Loadbalance policy : WSA-POLICY
            class/match : class-default
              LB action :
                 primary serverfarm: WSA_FARM
                      state: UP
                  backup serverfarm : -
              hit count        : 1260
              dropped conns    : 0
              compression      : off
        compression:
          bytes_in  : 0                          bytes_out : 0
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0
          Content size: 0               Content type       : 0
          Not HTTP 1.1: 0               HTTP response error: 0
          Others      : 0
  switch/WSA# show probe WSA_TCP_3128
  probe       : WSA_TCP_3128
  type        : TCP
  state       : ACTIVE
     port      : 3128         address   : 0.0.0.0
     addr type : -            interval  : 5       pass intvl  : 10
     pass count: 3            fail count: 30      recv timeout: 10
                  ------------------ probe results ------------------
     associations     ip-address         port porttype probes failed passed health
     ------------ ----------------------+----+--------+------+------+------+------
     serverfarm  : WSA_FARM
       real      : WSA-01[0]
       real      : WSA-02[0]
                            10.10.193.37 3128 PROBE   15076  72     15004  SUCCESS
       real      : WSA-03[0]
       real      : WSA-04[0]
       real      : WSA-05[0]
       real      : WSA-06[0]
       real      : WSA-07[0]
       real      : WSA-08[0]
       real      : WSA-09[0]
       real      : WSA-10[0]
  switch/WSA# show probe WSA_TCP_3128 detail
  probe       : WSA_TCP_3128
  type        : TCP
  state       : ACTIVE
  description :
     port      : 3128         address   : 0.0.0.0
     addr type : -            interval  : 5       pass intvl  : 10
     pass count: 3            fail count: 30      recv timeout: 10
     conn termination : FORCED
     expect offset    : 0         , open timeout     : 3
     expect regex     : -
     send data        : -
                  ------------------ probe results ------------------
     associations     ip-address         port porttype probes failed passed health
     ------------ ----------------------+----+--------+------+------+------+------
     serverfarm  : WSA_FARM
       real      : WSA-01[0]
       real      : WSA-02[0]
                            10.10.193.37 3128 PROBE   15088  72     15016  SUCCESS
     Socket state        : CLOSED
     No. Passed states   : 2         No. Failed states : 1
     No. Probes skipped  : 0         Last status code  : 0
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err :  -
     Last probe time     : Mon Sep  3 21:06:47 2012
     Last fail time      : Mon Sep  3 20:45:05 2012
     Last active time    : Mon Sep  3 20:45:57 2012
       real      : WSA-03[0]
       real      : WSA-04[0]
       real      : WSA-05[0]
       real      : WSA-06[0]
       real      : WSA-07[0]
       real      : WSA-08[0]
       real      : WSA-09[0]
       real      : WSA-10[0]
  Thank you,
  Everaldo

• If we got Nexus 1000V from VMWARE , can we add the N1K to our CCO ( Cisco Account ) to have direct support from Cisco

  Hi
  If we got Nexus 1000V from VMWARE , can we add the N1K to our CCO ( Cisco Account ) to have direct support from Cisco
  as sometimes it take some more time to get answer from VMWARE -> Cisco
  Thanks

  No.  When you purchase support from Vmware, they are your support contact and they will escalate support to Cisco on your behalf if needed.  This is the case for all OEM support.  Cisco provides support for RHEL, Microsoft and VMware.  We follow the same practice. 
  Deciding who to purchase support from is a decision of single point of contact for all VMware & N1K related issues vs. maintaining separate support contracts with each vendor individually.
  Regards,
  Robert

• IronPort WSA with Authentication unable to access 2 character domain names with 2 character TLDNs

  I've discovered an issue requiring user authentication and some of the short url sites likes e2.ma will not load in Internet Explorer explicitly configured to go through an IronPort WSA. In testing with bogus domains (a.to, aa.to) it seems the issue is if the domain name is 1-2 characters and the top level domain name is also 2 characters long. Longer domains (aaa.to) work and return an IronPort error for DNS_FAIL. Does anyone know of a workaround to not have to allow all these as unauthenticated destinations?

  Support pointed me towards that KB article as well, but it is for IE 5 (and fixed in IE 6), but IE 8+ uses a TLD list from Microsoft (visible by using res://urlmon.dll/ietldlist.xml) and I don't control the external website. I'm going to try using an IP address surrogate instead of session cookies for these domains and see if that resolves this.

• Request Sub-CA-Certificate for Ironport WSA

  How do I request a Sub-CA-Certificate for an Ironport WSA ? The GUI only offers the import of the public and private certificates to running the Ironport Proxy Appliance as a subordinate CA. The Root-CA is a Standalone CA from Microsoft.
  Thanks for your help.

  Here is the solution for this question:
  The steps to use the sample inf file are:
  run the command: certreq.exe -new certreq.inf cacert.req
  submit the cacert.req to your Root CA and issue the certificate and export the certificate to a file "newcacer.cer"
  install the certificate by running the command: certreq.exe -accept newcacer.cer
  export the certificate to a PFX file including the private key
  using openssl convert the PFX file to PEM format with the following steps:
            * extract the certificate file (the signed public key) from the pfx file:
              openssl pkcs12 -in PFXFilename.pfx -out SubCA_PubCert.pem -nodes -nokeys -clcerts
            * extract private key from a pfx file and write it to PEM file:
              openssl pkcs12 -in PFXFilename.pfx -out SubCA_PrivKey_encrypted.pem -nocerts
            * remove the password from the private key file:
              openssl rsa -in SubCA_PrivKey_encrypted.pem -out SubCA_PrivKey_unencrypted.pem
  That's all. Then you can import the Sub-CA-Cert and the private key into the Ironport WSA. All the copied certificates issued by the Sub-CA of the Ironport Web Security Appliance will now trusted by the client (if the Root-CA is trusted on the client).
  Sample for the INF-File:
  [Version]
  Signature="$Windows NT$"
  [Strings]
  CACN = "Issuing CA"
  [NewRequest]
  Subject = "CN=%CACN%"
  Exportable = True
  MachineKeySet = True
  KeyLength = 2048
  KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
  KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
  KeyContainer = "%CACN%"
  [Extensions]
  2.5.29.19 = "{text}ca=1&pathlength=0"
  Critical = 2.5.29.19

• Is caching available in WSA 670

  Hi all,
  Is caching available in WSA ?.I think this will help us to reduce the bandwidth consumption.
  Thanks
  Bijin

  Bijin,
  Yes - Web security appliance also acts as a proxy device and provides caching option. In todays deynamic web, most of the content is not-cache worthy as the data chnages so dynamic rate. However, if there is a specific pattern in you network where the end-users tend to access data which is relatively less dynamic, then it should help you in saving bandwidth.
  Thanks,
  Satish

• IronPort WSA management through Security Management Appliance

  Hi,
  I have two identically configured (policies) IronPort WSA S670 appliances running 7.5.0-833 and both added in SMA M670 management appliance running 7.9.1-102. Appliance A has McAfee license expired. Newly installed appliance B has Mcafee running for 28 more days. "Sophos" is enabled on both and working good. Config Master 7.5 was built based on the config from appliance A.
  Now, when i want to push the Config Master to both the associated WSA, it fails on appliance B as "McAfee" is disabled in Config Master but enabled on it. The setting "Security Services Display" in M670 was changed to enable "McAfee" but now appliance A fails giving a mis-match error on publishing.
  How to workaround this ? Can McAfee license/feature key on appliance B be expired / disabled now without waiting 28 days to let it expire.
  Thanks,
  Rick.

  Hello Rick,
  You can disable Mcafee globally on the SMA by going to :
  GUI -> Web -> Utilities -> Security Services Display -> Edit Display Settings-> Under Configuration Master 7.5 ->
  Do your Web Appliances have McAfee Anti-Malware enabled? -> Uncheck the box and submit.
  Also, Disable Mcafee on the appliance that thas 28 days of the licenses left, This way Mcafee will be disabled on all your boxes.
  I hope this helps.
  Regards,
  -Puja

• Ironport WSA - Management interface

  Hello,
  I have installed one Ironport WSA appliance for my customer.
  I would configure the following interface :
  -M1 : for the management
  -P1 : for the production interface
  -T1 : for L4 inspection
  I have specified a default route for M1 and P1.
  When I tryed to ping Internet or perform an update of the WSA, I watched the request exit by the M1 interface.
  It doesn't work because the management network can't exit in Internet (it's the policy of the customer).
  -It's normal that the upgrade of WSA and the ping exit by the M1 interface ?
  -If I want perform authentication in NTLM (with an AD domain) the request with the server and the client is performed with P1 or M1 ?
  -The upgrade of antivirus & sensor base use M1 or P1 ?
  -I thinked that M1 was only used for the management of the WSA (SSH and HTTPS).
  -How the WSA appliance can manage two default routes ?
  Can you give me more information about M1 and P1 and the role of each one ?
  Best Regards
  Cédric

  You can change the route that the update and upgrades use by going to System Adminstration>Upgrade and Update Settings.  Then click on the "Edit Update Settings".  You can pick the routing table/interface here.  By default its set to the managment interface.
  I'm fairly sure that the NTLM traffice from the WSA to the domain is via the managment interface.
  P1 is for the proxy traffic. Whatever way you get internet traffice to the box, it goes through P1, in and out (unless you use P2)
  M1 is for all of the other stuff: web management, ssh, updates, ldap/ntauth, etc.

• Cisco ironport WSA Communication Ports.

  Hai any body please suggest the different ports the WSA using to communicate with devices like AD using NTLM, ACS, NTP etc.??
  Regards,
  Fayz

  Hi,
  The WSA uses the management interface to communicate with AD.
  Thanks
  Chris