Cisco Cisco ScanSafe Web Security
Cisco CWS - ISR G2 Deployment Guide
5
Test
Deploy
Prepare
Deploy
Configure an ISR G2 connection
This document is intended to provide an overview of the deployment process. For more detailed
information and troubleshooting, please refer to the
information and troubleshooting, please refer to the
Cisco ISR-G2 routers enables you to easily connect branch office networks to CWS. Connector
functionality integrated into the ISR G2 device software intelligently redirects web traffic to CWS to
enforce security and control policies. With this integrated routing and web security solution, branch offices
can be controlled centrally. ISR G2 routers also serve as a cost-effective solution for delivering CWS on
public WiFi networks.
functionality integrated into the ISR G2 device software intelligently redirects web traffic to CWS to
enforce security and control policies. With this integrated routing and web security solution, branch offices
can be controlled centrally. ISR G2 routers also serve as a cost-effective solution for delivering CWS on
public WiFi networks.
Redirect web traffic
parameter-map type content-scan global
server scansafe primary ipv4 <primary tower ip> port http 8080 https 8080
server scansafe secondary ipv4 <secondary tower ip> port http 8080 https 8080
license 0 <license key generated above>
source interface GigabitEthernet0/1
timeout server 30
server scansafe on-failure block-all
interface GigabitEthernet0/1
cws out
Note the following:
server scansafe primary ipv4 <primary tower ip> port http 8080 https 8080
server scansafe secondary ipv4 <secondary tower ip> port http 8080 https 8080
license 0 <license key generated above>
source interface GigabitEthernet0/1
timeout server 30
server scansafe on-failure block-all
interface GigabitEthernet0/1
cws out
Note the following:
license - this is where you apply the license key you generated above. Using 0 will be in clear text,
using 7 will be encrypted
using 7 will be encrypted
source interface- this command configures an interface or an IP address as the source from which
packets to Cloud Web Security will originate from the device. The IP address that is configured in this
command must be the IP addresses that is associated with the interface on which
packets to Cloud Web Security will originate from the device. The IP address that is configured in this
command must be the IP addresses that is associated with the interface on which
“cws out” command
is configured.
cws out- this command enables web filtering and should be applied to the outside interface.
Configure ACL whitelisting
– By Host
parameter-map type regex allowed_hosts
pattern *.cisco.com
cws whitelisting
whitelist header host regex allowed_hosts
pattern *.cisco.com
cws whitelisting
whitelist header host regex allowed_hosts
Configure ACL whitelisting
– By User Agent
parameter-map type regex allowed_user-agents
pattern Mozilla/5.0
cws whitelisting
pattern Mozilla/5.0
cws whitelisting