Cisco ScanSafe Secure Mobility Cloud Web Security Leaflet

Cloud Web Security:

Traffic Redirection Methods

February 2016

© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 6

Overview

This document provides guidance on selecting a mechanism for redirecting web traffic to Cisco Cloud Web

Security (CWS).

The traffic redirection methods currently in use by customers are:

 ASA platforms

 ISR platforms

 CWS Connector

 WSA Connector

 Direct-To-Tower methods (Hosted PAC files, third-party proxies, explicit browser configuration)



AnyConnect

Selecting a Method to Redirect Web Traffic

The process of selecting a traffic redirection method is captured in Figure 1 below, and is applicable to most customer environments.

Customer Needs to

Support Roaming

Users

Use AnyConnect

OR, if AUP, Quotas, SSL

Tunneling is required

CWS Connector

Customer Owns

Cisco Hardware (ISR,

ASA, WSA)

Use Existing

Cisco Hardware

OR, if High Performance,

WCCP, NTLMv2, Local

Logging are required

WSA Connector

OR, if Virtual Form Factor is required

WSAv

Connector

Needs

Transparent

Redirection

(WCCP)

WSAv Connector

Customer Does Not

Own Cisco Hardware Direct-to-Tower (PAC file, third-party proxies)

Needs Explicit

Proxy

OR, if User Granularity is required

CWS Connector

Legend

Selection Process

Step

Selected Traffic

Redirection Method

Figure 1: Traffic redirection methods

Customers who own Cisco hardware (ISR, ASA, or WSA) are encouraged to leverage the integrated traffic redirection capabilities of their platforms. For all other environments, the choice of traffic redirection is between the

CWS Connector, the WSAv Connector or Direct-To-Tower methods.

© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 6

When To Redirect Traffic Using Direct-To-Tower Methods

Customers who do not have an ASA or ISR in their environment should send traffic directly using PAC files, thirdparty proxies or explicit browser settings. Direct-To-Tower methods can be used with EasyID and SAML to capture user identity.

Choosing between the CWS Connector and the WSAv Connector

The selection process between these two options depends primarily on whether customers want to redirect traffic transparently to CWS. Figure 2 outlines the selection process, based on the two most important criteria: proxy type and sizing requirements.

Is Transparent

Traffic Redirection required?

No Are there more than 2000 Users to

Support?

No

CWS Connector

Yes Yes

WSA or WSAv

Connector

Figure 2: Choosing between CWS and WSAv Connectors

CWS Features Supported By Traffic Redirection Options

Table 1 below lists the Cloud Web Security features supported when using a specific traffic redirection option .

CWS Feature

HTTPS Inspection

(MITM) 1

Web Filtering

Exceptions

URL

Categorization

Application

Visibility and

ASA

Connector

ISR-G2

Connector

ISR-4K

Connector

WSA

Connector

Native

Connector

Hosted

PAC File

Supported across all redirection options

AnyConnect

Supported across all redirection options

Supported across all redirection options

Supported across all redirection options

Supported across all redirection options

Classification

Customizable

Notifications

Outbreak

Intelligence

Cloud Whitelisting

AUP 2

Quotas 3

No

No

No

Yes

No

No

Table 1: Supported CWS Features

Supported across all redirection options

Yes

No

No

Supported across all redirection options

No

No

No

No

Yes

Yes

No

No

No

Yes

No

No

Mobile

Browser

Yes

Yes

No

© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 6

Feature Comparison Across Traffic Redirection Options For CWS

All traffic redirection options listed below have the ability to redirect web traffic (port 80 and 443) and forward authenticated user details to CWS. Table 2 lists the capabilities supported by each traffic redirection option.

CWS Feature

Traffic

Redirection

Method

How Devices

Authenticate to Cloud

ASA

Connector

ISR-G2

Connector

Redirection Capabilities

Transparent Transparent

ISR-4K

Connector

Transparent

(via Secure

Tunnel)

WSA

Connector

Transparent

(WCCP) /

Explicit

License Key

4

License Key

4

License Key

4

License Key

4

CWS

Connector

Explicit

License Key

4 and Egress IP

Tower

Failover

5

SSL

Tunneling 6

Whitelisting

(Exceptions)

7

Options

Hosted

PAC File

Explicit

AnyConnect

Transparent

Mobile

Browser

Transparent

Failover is determined by lost connection not slow connection

Connection to the towers is checked at regular intervals and failover to another tower occurs on the platform if tower does not return a response

No

IP, IP Ranges

No

IP, IP

Ranges, URL

Host (with wildcard),

User Agent

GRE over

IPsec

IP, IP Ranges,

URL Host

(with wildcard)

No

IP/CIDR,

FQDN, URL

(with wildcard),

User Agent

Egress IP

Via proxy

PAC file

License Key

4

License Key

4

Available when configured with Detect

Closest Tower

(DCT)

Available when configured with Detect

Closest Tower

(DCT)

Yes (default) No Yes

IP, IP Ranges,

URL Host

(with wildcard),

User Agent

No

IP, IP

Ranges,

URL Host

(with wildcard),

User

Agent

IP, IP Ranges,

Host

IP, IP Ranges,

URL Host

(with wildcard)

Mechanism

User Authentication Mechanisms

IDFW

ISR AAA

Services

Supported in future release

LDAP, NTLM,

CDA

Proxy NTLM N/A

GP result API

- Windows

N/A

Additional

Options

8

Transparent

Supported

Browsers

Supported

OS

Non transparent

Supported

Browsers

Supported

OS

Supported

Protocols

Supported

Versions

EasyID / SAML

EasyID /

SAML

EasyID /

SAML

EasyID /

SAML

Yes

IE, FF, Safari,

Chrome

Yes

Supported in future release

IE, FF, Safari,

Chrome

Supported in future release

Yes (NTLM,

CDA)

IE, FF,

Chrome

Windows /

OS X

Yes

All

Windows

Yes

All

Supported in future release

Supported in future release

Supported in future release

Windows

Yes

All

Windows /

OS X / iOS devices

Windows /

OS X / iOS devices

Supported in future release

Windows / OS

X / iOS

LDAP and

Radius (via

CDA)

NTLM (v1, v2), LDAP,

TACACS and

Radius

Supported in future release

NTLM, Basic

(LDAP)

9.0 and above

ISR G2,

15.3(3) M3

IOS XE 3.16.1

Table 2: Traffic Redirection Options Supported Feature Matrix

8.x

EasyID /

SAML

Yes

IE,FF, Chrome

Windows

Yes

All

Windows / OS

X / iOS devices

NTLM (v1)

Any

EasyID /

SAML

No

N/A

N/A

Yes

All

Windows /

OS X / iOS devices

N/A

N/A

EasyID /

SAML

Yes

IE, FF, Safari,

Chrome

Windows /

OS X

No

N/A

N/A

NTLM -

Windows API

3.0 and above

EasyID /

SAML

Yes

N/A iOS / Android

Yes

N/A iOS / Android

N/A

N/A

Page 4 of 6 © 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

Additional details:

1. HTTPS inspection is an optional feature for scanning of HTTPS traffic.

2. Acceptable Use Policy (AUP) is supported only with the CWS Connector, which tracks if/when users last agreed to an AUP.

3. Quotas are supported only with the CWS Connector, which tracks browsing usage.

4. A Company/Group key is always used with ASA, ISR, and AnyConnect. This is optional with CWS

Connectors, and can be replaced by scanning IPs specified in ScanCenter.

5. All connectors provide the ability to configure a primary and a secondary proxy.

6. SSL Tunneling is a feature that encrypts all communications between the Connector and the cloud infrastructure via an SSL tunnel.

7. Whitelisting is configured and enforced at the Connector level to prevent certain traffic from being redirected to

CWS (and hence bypass scanning). This feature can also be configured through a PAC file when using explicit proxy settings.

8. Additional options denote authentication mechanisms that can be used instead of the platform’s built-in authentication mechanisms. Note that in some cases, SAML authentication may not be transparent to the end user, prompting them to authenticate with their credentials.

Frequently Asked Questions

How do I determine if I need a high performance solution?

Each configuration guide listed in Table 3 provides guidelines on the maximum number of users that the specific traffic redirection method supports. For environments that exceed these limits, customers may consider using additional devices for traffic redirection, or using Direct-To-Tower redirection in conjunction with user identity obtained through EasyID or SAML.

How do customers secure remote user web traffic ?

For users who are remote and operate outside the boundaries of the corporate network, use the AnyConnect client to redirect traffic to CWS. For details on configuring AnyConnect, please refer to: http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Dec2013/CVD-

CloudWebSecurityUsingCiscoAnyConnectDesignGuide-DEC13.pdf

Configuration Reference Information

For detailed information on how to configure a traffic redirection option, please refer to the relevant documentation listed in Table 3:

Redirection Method Reference

ASA

ISR

ASA Connector Quick Configuration Guide: http://dcg.cisco.com/go/5v

CWS Configuration Guide: http://dcg.cisco.com/go/5w

CWS Connector Connector Administrator Guide: http://dcg.cisco.com/go/5x

WSA / WSAv Connector Cisco AsyncOS for Web User Guide: http://dcg.cisco.com/go/5y

AnyConnect CWS Using AnyConnect

– Technology Design Guide: http://dcg.cisco.com/go/5z

Table 3: Reference and Configuration Guides

Page 5 of 6 © 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

Printed in USA

© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 6