advertisement
Cloud Web Security:
Traffic Redirection Methods
February 2016
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 6
Overview
This document provides guidance on selecting a mechanism for redirecting web traffic to Cisco Cloud Web
Security (CWS).
The traffic redirection methods currently in use by customers are:
ASA platforms
ISR platforms
CWS Connector
WSA Connector
Direct-To-Tower methods (Hosted PAC files, third-party proxies, explicit browser configuration)
AnyConnect
Selecting a Method to Redirect Web Traffic
The process of selecting a traffic redirection method is captured in Figure 1 below, and is applicable to most customer environments.
Customer Needs to
Support Roaming
Users
Use AnyConnect
OR, if AUP, Quotas, SSL
Tunneling is required
CWS Connector
Customer Owns
Cisco Hardware (ISR,
ASA, WSA)
Use Existing
Cisco Hardware
OR, if High Performance,
WCCP, NTLMv2, Local
Logging are required
WSA Connector
OR, if Virtual Form Factor is required
WSAv
Connector
Needs
Transparent
Redirection
(WCCP)
WSAv Connector
Customer Does Not
Own Cisco Hardware Direct-to-Tower (PAC file, third-party proxies)
Needs Explicit
Proxy
OR, if User Granularity is required
CWS Connector
Legend
Selection Process
Step
Selected Traffic
Redirection Method
Figure 1: Traffic redirection methods
Customers who own Cisco hardware (ISR, ASA, or WSA) are encouraged to leverage the integrated traffic redirection capabilities of their platforms. For all other environments, the choice of traffic redirection is between the
CWS Connector, the WSAv Connector or Direct-To-Tower methods.
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 6
When To Redirect Traffic Using Direct-To-Tower Methods
Customers who do not have an ASA or ISR in their environment should send traffic directly using PAC files, thirdparty proxies or explicit browser settings. Direct-To-Tower methods can be used with EasyID and SAML to capture user identity.
Choosing between the CWS Connector and the WSAv Connector
The selection process between these two options depends primarily on whether customers want to redirect traffic transparently to CWS. Figure 2 outlines the selection process, based on the two most important criteria: proxy type and sizing requirements.
Is Transparent
Traffic Redirection required?
No Are there more than 2000 Users to
Support?
No
CWS Connector
Yes Yes
WSA or WSAv
Connector
Figure 2: Choosing between CWS and WSAv Connectors
CWS Features Supported By Traffic Redirection Options
Table 1 below lists the Cloud Web Security features supported when using a specific traffic redirection option .
CWS Feature
HTTPS Inspection
(MITM) 1
Web Filtering
Exceptions
URL
Categorization
Application
Visibility and
ASA
Connector
ISR-G2
Connector
ISR-4K
Connector
WSA
Connector
Native
Connector
Hosted
PAC File
Supported across all redirection options
AnyConnect
Supported across all redirection options
Supported across all redirection options
Supported across all redirection options
Supported across all redirection options
Classification
Customizable
Notifications
Outbreak
Intelligence
Cloud Whitelisting
AUP 2
Quotas 3
No
No
No
Yes
No
No
Table 1: Supported CWS Features
Supported across all redirection options
Yes
No
No
Supported across all redirection options
No
No
No
No
Yes
Yes
No
No
No
Yes
No
No
Mobile
Browser
Yes
Yes
No
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 6
Feature Comparison Across Traffic Redirection Options For CWS
All traffic redirection options listed below have the ability to redirect web traffic (port 80 and 443) and forward authenticated user details to CWS. Table 2 lists the capabilities supported by each traffic redirection option.
CWS Feature
Traffic
Redirection
Method
How Devices
Authenticate to Cloud
ASA
Connector
ISR-G2
Connector
Redirection Capabilities
Transparent Transparent
ISR-4K
Connector
Transparent
(via Secure
Tunnel)
WSA
Connector
Transparent
(WCCP) /
Explicit
License Key
4
License Key
4
License Key
4
License Key
4
CWS
Connector
Explicit
License Key
4 and Egress IP
Tower
Failover
5
SSL
Tunneling 6
Whitelisting
(Exceptions)
7
Options
Hosted
PAC File
Explicit
AnyConnect
Transparent
Mobile
Browser
Transparent
Failover is determined by lost connection not slow connection
Connection to the towers is checked at regular intervals and failover to another tower occurs on the platform if tower does not return a response
No
IP, IP Ranges
No
IP, IP
Ranges, URL
Host (with wildcard),
User Agent
GRE over
IPsec
IP, IP Ranges,
URL Host
(with wildcard)
No
IP/CIDR,
FQDN, URL
(with wildcard),
User Agent
Egress IP
Via proxy
PAC file
License Key
4
License Key
4
Available when configured with Detect
Closest Tower
(DCT)
Available when configured with Detect
Closest Tower
(DCT)
Yes (default) No Yes
IP, IP Ranges,
URL Host
(with wildcard),
User Agent
No
IP, IP
Ranges,
URL Host
(with wildcard),
User
Agent
IP, IP Ranges,
Host
IP, IP Ranges,
URL Host
(with wildcard)
Mechanism
User Authentication Mechanisms
IDFW
ISR AAA
Services
Supported in future release
LDAP, NTLM,
CDA
Proxy NTLM N/A
GP result API
- Windows
N/A
Additional
Options
8
Transparent
Supported
Browsers
Supported
OS
Non transparent
Supported
Browsers
Supported
OS
Supported
Protocols
Supported
Versions
EasyID / SAML
EasyID /
SAML
EasyID /
SAML
EasyID /
SAML
Yes
IE, FF, Safari,
Chrome
Yes
Supported in future release
IE, FF, Safari,
Chrome
Supported in future release
Yes (NTLM,
CDA)
IE, FF,
Chrome
Windows /
OS X
Yes
All
Windows
Yes
All
Supported in future release
Supported in future release
Supported in future release
Windows
Yes
All
Windows /
OS X / iOS devices
Windows /
OS X / iOS devices
Supported in future release
Windows / OS
X / iOS
LDAP and
Radius (via
CDA)
NTLM (v1, v2), LDAP,
TACACS and
Radius
Supported in future release
NTLM, Basic
(LDAP)
9.0 and above
ISR G2,
15.3(3) M3
IOS XE 3.16.1
Table 2: Traffic Redirection Options Supported Feature Matrix
8.x
EasyID /
SAML
Yes
IE,FF, Chrome
Windows
Yes
All
Windows / OS
X / iOS devices
NTLM (v1)
Any
EasyID /
SAML
No
N/A
N/A
Yes
All
Windows /
OS X / iOS devices
N/A
N/A
EasyID /
SAML
Yes
IE, FF, Safari,
Chrome
Windows /
OS X
No
N/A
N/A
NTLM -
Windows API
3.0 and above
EasyID /
SAML
Yes
N/A iOS / Android
Yes
N/A iOS / Android
N/A
N/A
Page 4 of 6 © 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Additional details:
1. HTTPS inspection is an optional feature for scanning of HTTPS traffic.
2. Acceptable Use Policy (AUP) is supported only with the CWS Connector, which tracks if/when users last agreed to an AUP.
3. Quotas are supported only with the CWS Connector, which tracks browsing usage.
4. A Company/Group key is always used with ASA, ISR, and AnyConnect. This is optional with CWS
Connectors, and can be replaced by scanning IPs specified in ScanCenter.
5. All connectors provide the ability to configure a primary and a secondary proxy.
6. SSL Tunneling is a feature that encrypts all communications between the Connector and the cloud infrastructure via an SSL tunnel.
7. Whitelisting is configured and enforced at the Connector level to prevent certain traffic from being redirected to
CWS (and hence bypass scanning). This feature can also be configured through a PAC file when using explicit proxy settings.
8. Additional options denote authentication mechanisms that can be used instead of the platform’s built-in authentication mechanisms. Note that in some cases, SAML authentication may not be transparent to the end user, prompting them to authenticate with their credentials.
Frequently Asked Questions
How do I determine if I need a high performance solution?
Each configuration guide listed in Table 3 provides guidelines on the maximum number of users that the specific traffic redirection method supports. For environments that exceed these limits, customers may consider using additional devices for traffic redirection, or using Direct-To-Tower redirection in conjunction with user identity obtained through EasyID or SAML.
How do customers secure remote user web traffic ?
For users who are remote and operate outside the boundaries of the corporate network, use the AnyConnect client to redirect traffic to CWS. For details on configuring AnyConnect, please refer to: http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Dec2013/CVD-
CloudWebSecurityUsingCiscoAnyConnectDesignGuide-DEC13.pdf
Configuration Reference Information
For detailed information on how to configure a traffic redirection option, please refer to the relevant documentation listed in Table 3:
Redirection Method Reference
ASA
ISR
ASA Connector Quick Configuration Guide: http://dcg.cisco.com/go/5v
CWS Configuration Guide: http://dcg.cisco.com/go/5w
CWS Connector Connector Administrator Guide: http://dcg.cisco.com/go/5x
WSA / WSAv Connector Cisco AsyncOS for Web User Guide: http://dcg.cisco.com/go/5y
AnyConnect CWS Using AnyConnect
– Technology Design Guide: http://dcg.cisco.com/go/5z
Table 3: Reference and Configuration Guides
Page 5 of 6 © 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Printed in USA
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 6
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project