WSA vs bluecoat

Around here its about time for another WSA vs BlueCoat battle and I need some ammo ;)
I'll get the usual docs through our SEs and arrange for another eval box to play with, but I was looking for some feedback from people who actually used this device in production.
We"re looking at a redundant setup, two devices with an identical config (aside from ip addressing and such) which each should be able to handle the full load. BC has an advantage here because they have virtual ips that can move from one box to the other. Luckily in our first project that won't be a problem because we already have load balancers in place that can perform this task. But how do you keep the device configurations in sync? BC has a small tool available for partners that does just this (specify the source and a number of targets, and it syncs the full configuration). Is there something similar for the WSA or do you do all this manually?
BC policies are very powerful, sometimes required but often to complex. I know from the previous test that we can transfer about 95% of the policy to the WSA, which is sufficient. The WSA policy was easier to interpret for the admins than that of the BC so that was a plus, but it also left me with some concerns. What if we need to do something like disable authentication for useragent X when accessing site Y, or more complex rules that can't be done in the GUI? Do you often run into problems like this?
Lets just say having something like the messagefilters of the c-series available - even if its just in case - would make me feel better.
Any other pros / cons you might have, are welcome. I don't expect the WSA will completely replace BC any time soon - a lot more features will need to be implemented first. But i have a couple more customers in mind where the WSA may be a better choice.

BC has a small tool available for partners that does just this (specify the source and a number of targets, and it syncs the full configuration). Is there something similar for the WSA or do you do all this manually?
The IronPort M-series is an appliance that is used for syncing the configuration files.
What if we need to do something like disable authentication for useragent X when accessing site Y, or more complex rules that can't be done in the GUI?
Disabling authentication for a user-agent for a specific site(s) is easily possible in the Maui release (5.6). This version is currently in Beta.
The WSAs GUI is powerful enough to handle all of the policies. There may not be 100% flexibility, as there is with the Blue Coats, but the WSA Maui release should cover all of your needs.
Any other pros / cons you might have, are welcome.
The WSA Maui release has many improvements that make it easier to use over the Blue Coats. The GUI itself is much more powerful. A new GUI packet capture is available in the GUI. The policy trace on the WSA can run a test in real time, whereas the Blue Coat policy trace is written to a log that will have to be pulled and analyzed.
These are some of the areas where we excel.

Similar Messages

  • Default HTTP inspection map

    Hi guys.
    When configuring Inspect HTTP there is an option to use Default HTTP Inspection Map.
    Its used here as an example on the documentation;
    From the Select HTTP Inspect Map window, check the radio button next to Use the Default HTTP inspection map. The default HTTP inspection is used in this example. Then, click OK.
    However I cannot actually see anywhere what these Default settings are.
    For example; it is possible to set varying security levels when configuring manually (low-medium-high) with differing options in each, but what are the security level and specific settings when choosing default?
    I cannot find any reference to these.
    If anyone can help that would be great.
    Thanks.
    Mike

    I'm not sure which reference you're citing, but in ASDM if you go to "Configuration > Firewall > Objects > Inspect Maps > HTTP" and click on "Add" you will see a dialog box with a slider which shows what each level consists of by default. You can further customize by choosing the Details, URI Filtering, etc.
    (Very very few people actually use the built-in http inspection and instead use either a 3rd party solution like WebSense URL filtering or a Proxy server like WSA or BlueCoat or else use the ASA CSC module of NGFX CX module with AVC and WSE.)
    See the following screenshot for what I wan talking about in my first paragraph:

  • WSA s170 - How to block skype and download

    Hi,
    I recently changed my proxy solution from BlueCoat ProxySG to Cisco WSA but I'm finding some difficulties to operate the appliance. 
      a - I can't have multiple defaults route
      b - How can I block skype traffic?
      c - How can I block download
      d - No graphical interface for logging
    I hope some here can help me. Because I don't know yet if it was a good choice change the solution that used to work like a charm.
    If some one can also point the other good things I can do with this appliance should be good.
    Best regards,
    Alcides 

    It sounds like it may be best for you to reach out to the sales person that sold you this appliance.  But some quick answers for you:
    a) You can go to Network > Routes.  You can set routes based on destinations.  What exactly are you trying to do with multiple default routes?  Are you trying to get some kind of fail-over setup?  If so, this cannot be done.  You can contact TAC and ask that they submit a feature request for this.
    b) Skype can be blocked by the WSA, but after Skype determines that it cannot logon via port 80 or 443, it will start trying every port ever existed until it gets access.  Are you ready to block all other ports at the firewall?
    c) You can block a download by file types under Access Policies > Mime Type.
    d) There is web tracking.  But if you want to view live logs in the GUI, that is not available.  Consider contacting TAC and asking for a feature request as well.
    It sounds like you are very used to the Bluecoat.  Different products will have different features. 

  • ACS 5.3.0.40 with Bluecoat Packetshaper via Radius Auth using PAP/CHAP

    Hi,
    We have a strange issue may be an known issue. We have the ACS 5.3.0.40 with Bluecoat Packetshaper (Packeteer) as the Radius Client and tried with PAP as well as CHAP with the suggested VSA. But once we try to authenticate with GUI in the PS end we get authentication failed. i.e its says invalid password but in the ACS end we get it as the Auth success log. We are not able to login to the PS as well. Anyone have any idea what is the issue anything to be done with the patch upgrade or any issue with the packetshaper??????
    below is the logs in ACS server.
    Logged At:        September 4,2012 4:10:26.250 PM
    RADIUS Status: Authentication        succeeded
    NAS Failure:
    Username: knpdtf
    MAC/IP Address:
    Network        Device: Test-PS : 10.187.115.83:
    Access Service: Radius Network
    Identity        Store: Internal Users
    Authorization Profiles: Permit Access
    CTS        Security Group:
    Authentication Method: PAP_ASCII
    By
    Karthik

    Hi,
    Do you have any special characters in the password? I would see if you can create an internal user in ACS and use a basic password (like cisco123) and see if the authentication will succeed. I have seen with some GUI based products that some special characters can cause some headaches.
    thanks,
    Tarik Admani
    *Please rate helpful posts*

  • End-user notification is not working for one of the untagorized HTTPS webistes on IronPort WSA

    When users try to access the URL https://cloud.skytap.com/tools/connectivity they are getting 'Internet Explorer cannot display the webpage' instead of regular IronPort WSA end-user-notification. This URL is currently uncategorized. Please advice.

    Yes, we have set drop all the uncategorized URLs. We do get end-user-notifications for HTTP websites which are uncategorized.
    However, if any of the HTTPS websites which are uncategorized, then we wont get end-user-notification.

  • ISE 1.1.2 with Bluecoat ProxySG

    Hi,
    As I understand that Cisco ISE performs function as RADIUS server. So, if I use Bluecoat ProxySG as a RADIUS client. The authentication should work as it should, right.
    I have try this with FreeRADIUS and Bluecoat ProxySG and its working fine.
    Does anyone try this integration between ISE and Bluecoat ?
    Sent from Cisco Technical Support Android App

    Hi,
    I am exeperiencing the same issue described above, with a similar network layout:
         BlueCoat1---N2K---2*N5K(vPC)---2*C6880(VSS)---Inter Datacenter Links---2*C6880(VSS)---2*N5K(vPC)---N2K---BlueCoat2
    I have configured an IGMP querier in the BlueCoat VLANs on both 2*N5K(vPC), even if on one 2*N5K(vPC) should be enough. 
    For each VLAN I've used the same free IP-Address on all 4 N5K:
         Is that correct?
    I am asking, bacause the Cisco-documetation says, that only the one with the "lowest IP-Address (?)" will be active:  
         How should the IGMP-Querier-election work in my case?
    Any help will be really appreciated.
    Many thanks

  • WSA wsdl-gen won't get a custom WSDL

    Hi,
    I'm trying to make Web Service Assembler in OC4J 10.1.2 get my custom WSDL file, but it won't no matter what i change. This is the config file i'm using now:
    <web-service>
         <display-name>Web Service Demo</display-name>
         <description>Web Service Demo for OC4J</description>
         <destination-path>./build/wsd-services.ear</destination-path>
         <temporary-directory>c:\temp</temporary-directory>
         <context>/wsdemo-ws</context>
         <stateless-java-service>
         <interface-name>es.wsd.services.DemoServiceInt</interface-name>
         <class-name>es.wsd.services.DemoService</class-name>
         <uri>/demoService</uri>
         <java-resource>./bin</java-resource>
         </stateless-java-service>
         <wsdl-gen>
         <wsdl-dir>./wsaconfig</wsdl-dir>
         <option name="force">false</option>
         <option name="packageIt">true</option>
         <option name="httpServerURL">http://localhost:8888</option>     
         </wsdl-gen>
    </web-service>
    Well, i have a DemoServiceInt.wsdl file in the wsaconfig folder hanging from my project's root, and use this ant target to launch WSA:
    <property name="WSA.dir" value="c:\desarrollo\java\oc4j\webservices\lib"/>
    <property name="WSA.dir.config" value="./wsaconfig"/>
    <target name="build.wsa" depends="build.src">
    <java jar="${WSA.dir}/WebServicesAssembler.jar" fork="true">
         <arg value="-config"/>
         <arg value="${WSA.dir.config}/config.xml"/>
    </java>
    </target>
    Thank you in advance.
    Best regards.
    Juan Alvarez Ferrando

    Let's take it one step further. Reset your network settings on your touch. Tap Settings > General > Reset > Reset Network settings. When it restarts, log back onto your network.
    Since you are using the same router as before as your access point, what really has changed? The default on DNS is "Use ISP's DNS" isn't it?

  • Is anyone aware of an updated reporting API for the ESA/WSA?

    I'm looking to build a dashboard website and the pre-Cisco API tools don't seem to work on any of the current platforms. 
    https://supportforums.cisco.com/document/33721/cisco-ironport-systems-contributed-tools
    I know they worked for a while after the merger, but I didn't notice when they stopped working.

    Hi
    Could you please let us know your plan for the release of updated Reporting API tools and Log based reporting tools.  
    Also let us know the new forums to which you have migrated.
    We are also looking to interact with the WSA device and fetch the logs or CSVs for our customized systems

  • WSA redundancy and WCCP questions

    Hello! My customer bought a pair of S370 WSA prior to deployment planning. I need to deploy both of them into existing network and I'd like to ask few questions with somebody who knows how to do it.
    1. As I know from manuals, WSA doesn't support any clustering but I'd like to use both of my S370 for redundancy. I'm planning to use WCCP only, no explicit proxy mode will be used. What methods can I use to deploy redundant WCCP cache on pair of WSA? If it possible, I'd prefer to use something like Active\Passive but not load balancing scheme. Does it have Centralized management feature like ESA to share configs between devices?
    2. I have fusion router which "mixes" traffic from different vrf. Is it possible to configure router such way that every vrf(which corresponds every interface and different subnets) will be seen with its own ip address in internet or all of them will be using just WSA's address like in explicit proxy mode?
    3. When I tried to test my WSA in explicit proxy mode prior to configuring WCCP, I found out that I can use it as a proxy without any authentication, just setting it's address and port in my browser. How can I disable explicit proxy mode or set any authentication(no LDAP or NTLM) to prevent unauthorized access to using my proxy?
    I'm newbie with IronPorts so I will appreciate any help including links to manuals

    The WCCP protocol allows for automatic detection of all connected devices, both proxies and routers/firewalls/switches. When configuring WCCP with multiple WSAs, they're all in the WCCP cluster, with the router doing the load balancing beween the detected proxies. From what I've seen, you can't configure an active/passive scenario.
    As you mentioned , WSAs don't support clustering seen in ESAs. You could use a M-series box to provide central management and reporting for multiple WSAs in your enviromment.
    Regarding VRFs: WSAs support IP spoofing, which allows you to send out requests with the client's instead of WSA's external address. You could perform PAT of multiple addresses on the edge router/firewall to send the requests out with a different IP address for each VRF for example.
    I don't think you can fully disable the explicit proxy on the WSA. You can set up a firewall rule to prevent direct client access to the proxy ports..
    Sent from Cisco Technical Support iPad App

  • ¿How to use user-roles in Ironport WSA (7.6) using ACS 4.1?

    Hello,
    I want to give a client access to a S370 WSA quarantine and I am using an ACS 4.1 for external authentication; that would be used for administrators and for the client access (non-administration access).
    I have created a user-role in the WSA that has access to the quarantine I want, but I need the user to be in the ACS. I created the user in ACS but my question is, what should I configure or change in the ACS in order for the WSA to recognize the user with the specific role I created and not like an administrator role.
    Thanks for your help!
    Sergio

    Hi,
    This can be done by configuring the Radius Class attribute on the ACS and mapping it with the user roles on the WSA.
    "To map RADIUS users to different Web Security appliance user role types, you assign a role type, such
    as Administrator and Operator, to a RADIUS CLASS attribute. Mapping different role types lets you
    specify the authorization level for each RADIUS user."
    Please go to Page 26-12 of the WSA user guide http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-5/user_guide/WSA_7-5-0_UserGuide.pdf for more information under the section "Using External Authentication".
    Regards,
    Kush

  • WSA - Report Query Failed

    Hi all,
    Recently, I'm receiving these two alerts from one WSA S370:
    Report Query Failed
          query_id: wsa_monitor_overview_web_proxy_summary
          data_source: WSASimpleTotalRDS
          error: <type 'type'> ('egg/command_client.py send_message|555', "<class 'Commandment.DaemonUnresponsiveError'>", 'S370B.NAME.net: The daemon is not responding.', '[database/ReportCatalog.py run_report_queries|332] [reportdatasource/CounterReportDataSource.py query|265] [reportdatasource/CounterReportDataSource.py _parse_overall_interval|581] [query/merged_result.py range|85] [query/client.py _call|235] [egg/command_client.py call|233] [egg/command_client.py send_message|555]')
    AND
    Report Query Failed
          query_id: wsa_monitor_overview_clients_by_blocked_transactions
          data_source: WSACommonRDS
          error: <type 'type'> ('egg/command_client.py call|238', "<class 'reporting.query.exceptions.DatabaseQueryFailure'>", '', '[database/ReportCatalog.py run_report_queries|332] [reportdatasource/CounterReportDataSource.py query|251] [reportdatasource/CounterReportDataSource.py _run_api_query|482] [query/client.py time_merge_query|454] [query/client.py _call|235] [egg/command_client.py call|238]')
    The code I'm using is 7.1.1-038
    I started receiving the alerts only after upgrading to this code. Have you noticed something similar?
    Thanks a lot for your help!!!
    Fernando

    Hello Everyone,
    I am in Australia (Melbourne) and i am using ironport s160 web security appliance version: 7.1.2-80. Reecently i have started receiving the following warning from ironport proxy.
    The Warning message is:
    Report Query Failed
                    query_id: wsa_monitor_overview_malware_categories
                    data_source: WSACommonRDS
                    error: ('egg/command_client.py send_message|555', "", 'proxymel3.sportsbet.com.au: The daemon is not responding.', '[database/ReportCatalog.py run_report_queries|332] [reportdatasource/CounterReportDataSource.py query|265] [reportdatasource/CounterReportDataSource.py _parse_overall_interval|581] [query/merged_result.py range|85] [query/client.py _call|235] [egg/command_client.py call|233] [egg/command_client.py send_message|555]')
    Report Query Failed
                    query_id: wsa_monitor_overview_suspect_transactions_detected
                    data_source: CounterReportDataSource
                    error: ('egg/command_client.py send_message|555', "", 'proxymel3.sportsbet.com.au: The daemon is not responding.', '[database/ReportCatalog.py run_report_queries|332] [reportdatasource/CounterReportDataSource.py query|272] [reportdatasource/CounterReportDataSource.py _parse_api_results|506] [reportdatasource/CounterReportDataSource.py _parse_interval_result_set|525] [query/result.py next|112] [query/client.py _call|235] [egg/command_client.py call|233] [egg/command_client.py send_message|555]')
    Report Query Failed
                    query_id: wsa_monitor_overview_suspect_transactions_summary
                    data_source: WSASimpleTotalRDS
                    error: ('egg/command_client.py send_message|555', "", 'proxymel3.sportsbet.com.au: The daemon is not responding.', '[database/ReportCatalog.py run_report_queries|332] [reportdatasource/CounterReportDataSource.py query|265] [reportdatasource/CounterReportDataSource.py _parse_overall_interval|581] [query/merged_result.py range|85] [query/client.py _call|235] [egg/command_client.py call|233] [egg/command_client.py send_message|555]')
    Report Query Failed
                    query_id: wsa_monitor_overview_top_application_types
                    data_source: CounterReportDataSource
                    error: ('egg/command_client.py send_message|555', "", 'proxymel3.sportsbet.com.au: The daemon is not responding.', '[database/ReportCatalog.py run_report_queries|332] [reportdatasource/CounterReportDataSource.py query|265] [reportdatasource/CounterReportDataSource.py _parse_overall_interval|581] [query/merged_result.py range|85] [query/client.py _call|235] [egg/command_client.py call|233] [egg/command_client.py send_message|555]')
    Report Query Failed
                    query_id: wsa_monitor_overview_top_url_categories
                    data_source: CounterReportDataSource
                    error: ('egg/command_client.py send_message|555', "", 'proxymel3.sportsbet.com.au: The daemon is not responding.', '[database/ReportCatalog.py run_report_queries|332] [reportdatasource/CounterReportDataSource.py query|265] [reportdatasource/CounterReportDataSource.py _parse_overall_interval|581] [query/merged_result.py range|85] [query/client.py _call|235] [egg/command_client.py call|233] [egg/command_client.py send_message|555]')
    Product: IronPort S160 Web Security Appliance
    Model: S160
    Version: 7.1.2-080
    Serial Number: 0025643CFD42-4GQYHL1
    Timestamp: 14 Jun 2012 14:00:21 +1000
    Thank you for your help.
    Lovedeep

  • How to set wsa:Action in Jdeveloper?

    Hello,
    I am using JDeveloper 11g/SOA Suite 11g. I am creating a BPEL process that calls a remote web service. In the request that I am generating, the SOAP Action header and the wsa:Action value are not the same. Does anyone know how to explicitly set the value for wsa:Action tag in the WS Addressing header?

    see :
    http://weblogs.asp.net/gsusx/archive/2006/06/01/WS_2D00_Addressing-interoperability-between-Oracle-BPEL-Process-Manager-and-Microsoft-Windows-Communication-Foundation.aspx
    http://dlimiter.wordpress.com/2009/11/16/manipulating-ws-addressing-headers-in-oracle-bpel/
    on how to populate the ws-addressing elements yourself
    basically you need to add the ws-addressing xsd, create a new variable of it, populate the elements and add it to your partnerlink

  • OC4J  10.1.3 WSA -assemble "Duplicate type name" error

    I am trying to expose a Java class as a web service using the WSA tool assemble command. The return result of one of the methods is reasonably complex and includes two variables the classes of which both extend the same base class e.g. (bean bits missing for brevity)
    public class Value extends DatasetMember {
    private double value;
    public class Text extends DatasetMember {
    private String value;
    When I attempt to assemble the web service wsa spits out
    Error: uk.gov.ecoconnect.webservices.datatypes.DatasetMember - Duplicate type name "uk.gov.ecoconnect.webservices.datatypes.DatasetMember" for Java type "{http://uk.gov.ecoconnect.webservices.datatypes/}DatasetMember" found. To remove this error do not specify a single typeNamespace for all value types or specify a mapping file. This error could also be caused when an erroneous type has been used more than once.
    If I use AXIS against the same classes I get at correctly generated wsdl file.
    Is there any way to get wsa to generate as wsdl that utilises the <extension> element?
    Is there an alternative OC4J mechanism that I could use to achieve this?
    I'm guessing that if the answer to the above questions is no I guess I'm going to have to move to using AXIS instead.

    Hi Tzhang,
    Thanks for the udpate.
    What spcific changes you made to make this work? can you please share that with us?
    By looking at the exception, it looks like it's failing when trying to clear the datasource connection cache. I even opened the admin_ejb app. All it has is some MDB using JMS queues. But I didn't find any datasource references in that application.
    Regards,
    Rajesh

  • Route to WSA based on destination

    Dear
    I need to purchase two Iron port box  one for ADSL line and second for Leased Line
    My aim Is when user open busineed site is go through Leased line and when open Un Business Site is go to ADSL
    I need soultion  to achive this ?
    and i can predfine the Business and un business Site  ?

    Hello,
    Unfortunately the WSA cannot control which requests get sent to it, it simply listens for traffic coming to its interface on specific ports (80, 3128, 21, 443). When it comes to specific URLs being routed to one WSA or another it will require that you have a device that can inspect the traffic at Layer 4 (HTTP/HTTPS/FTP) and make a routing decision based on the URI in the HTTP header.
    You could add a 3rd WSA to route the traffic using an upstream proxy configuration. You would use proxy groups and routing policies to match Custom URL categories or predefined URL categories to send to one of the two upstream proxies.
    Other than adding an additional device to route the traffic, you could look into Policy based routing or using multiple WCCP services  (one for each WSA) and creating an ACL to match the business sites IP addresses vs the non-business sites. This could become an issue as most websites use dynamic IP schemes.
    Hope this helps.
    Best Regards,
    Michael Hautekeete
    Customer Support Engineer
    Cisco Content Security - Web Security Appliance
    http://www.cisco.com/en/US/products/ps11169/serv_group_home.html
    https://supportforums.cisco.com/community/netpro/security/web
    https://supportforums.cisco.com/community/feeds?community=2091

  • Load Balancing Internet Sources with WSA

    Hello everyone,
    Is is possible to have multiple internet sources with the WSA like Microsoft Forefront TMG you can have multiple internet sources and adjust for example 33% load on the first link and 66% percent on the second link .
    We currently have the S160 .
    Thanks .

    If you mean "use the WSA to load balance traffic between 2 or more internet providers", no... the WSA won't do that.

Maybe you are looking for

  • How do I move home videos from my computer to itunes?

    When I load photos & videos from my iphone, the pics and videos are saved to my computer.  When I use Apple TV, I can see the photos, but not the videos.  Do I need to "move" them into itunes?

  • I can't add a entry in a shared calendar on iCal (Mountain Lion) but on iPhone it is ok

    My Partner is sharing her business calendar with me. (view and edit) In the past I was able to add calendar enties on my MacBook, iPhone and iPad. Since a couple of days, I can do this only on the iPhone & iPad but not on the Macbook Pro. (Mountain L

  • How to add new object class to a material ?

    Hi experts, I have to add new object class to a material ( classification class ) and then add new characteristics values for the material ....But i do not know which FM to do this , If you please to give me the solution for this problem PS: rewards

  • Apple id changed settings

    I had a previous apple id that I used on an ipod, but all the security questions have been changed (perhaps when my young daughter had a go at updating it herself and now has no memory of any questions...).  Is there any way either: i) to cancel my o

  • Area and Chart in one Tool

    Hi I wanted to have line and Area in one chart in obiee 10 or 11g thanks