Cisco Cisco ScanSafe Web Security
Cisco CWS
– AnyConnect Web Security Deployment Guide
8
Test
Deploy
Prepare
Figure 2.2
When enabled, Order scanning proxies by response time will sort the list of scanning towers from
best performing to worst performing in top to bottom fashion. This is a manual alternative to the
aforementioned option but the end-user will only be able to select a scanning tower if the User
Controllable option is enabled.
best performing to worst performing in top to bottom fashion. This is a manual alternative to the
aforementioned option but the end-user will only be able to select a scanning tower if the User
Controllable option is enabled.
Supplemental tutorial: Cloud-Hosted Configuration
Overview
Cloud-
Hosted configuration allows you to push later versions of the client’s configuration to the
roaming clients via the Internet from ScanCenter. To enable the client to listen out for new
configurations, the initial profile that you roll out to the client must have this setting activated.
configurations, the initial profile that you roll out to the client must have this setting activated.
Configuration
After initially enabling this feature in the profile, all further actions for hosting newer configurations are
performed in ScanCenter. Refer to the
performed in ScanCenter. Refer to the
Note the following points when working with hosted configuration:
1. Allow access to the Ingress IP
’s of the CWS towers/proxies for AnyConnect Web Security via
TCP port 443 (and also port 8080 in case of deploying in plain mode). The full list of
towers/proxies for AnyConnect Web Security can be found in the
towers/proxies for AnyConnect Web Security can be found in the
This is relevant for the Web Security client in general regardless to Hosted Config.
2. The client itself must also be able to access 80.254.145.118 on TCP port 80 where it fetches the
list of proxy towers and keeps itself up to date. This is relevant for the Web Security client in
general regardless to Hosted Config.
general regardless to Hosted Config.
3. You also need to allow the AnyConnect Web Security module to make connections to Verisign
over TCP port 80. On this range, clients check the certificate of revocation at