Cisco Cisco Web Security Appliance S670 User Guide
14-2
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 14 Achieving Secure Mobility
Working with Remote Users
For information on enabling single sign-on, see
Working with Remote Users
When Secure Mobility is enabled, you can configure Identities and other policies to apply to users by
their location:
their location:
•
Remote users. These users are connected to the network from a remote location using VPN (virtual
private network). Users might be located in a home office, coffee shop, or hotel, for example. The
Web Security appliance automatically identifies remote users when both the Cisco adaptive security
appliance and Cisco AnyConnect client are used for VPN access. Otherwise, the Web Security
appliance administrator must specify remote users by configuring a range of IP addresses.
private network). Users might be located in a home office, coffee shop, or hotel, for example. The
Web Security appliance automatically identifies remote users when both the Cisco adaptive security
appliance and Cisco AnyConnect client are used for VPN access. Otherwise, the Web Security
appliance administrator must specify remote users by configuring a range of IP addresses.
•
Local users. These users are connected to the network either physically or wirelessly.
You might want to create separate policies for remote and local users. For example, you can create
Access Policies that allow access to Arts and Entertainment sites when users are outside the office
(remote users), but block access when users are in the office (local users).
Access Policies that allow access to Arts and Entertainment sites when users are outside the office
(remote users), but block access when users are in the office (local users).
When you enable Secure Mobility on the Security Services > AnyConnect Secure Mobility Page, you
identify remote users using one of the following methods:
identify remote users using one of the following methods:
•
Associate by IP address. Specify a range of IP addresses that the appliance should consider as
assigned to remote devices. Typically, the Cisco adaptive security appliance assigns these IP
addresses to devices that connect using VPN functionality. When the Web Security appliance
receives a transaction from one of the configured IP addresses, it considers the user as a remote user.
assigned to remote devices. Typically, the Cisco adaptive security appliance assigns these IP
addresses to devices that connect using VPN functionality. When the Web Security appliance
receives a transaction from one of the configured IP addresses, it considers the user as a remote user.
•
Integrate with a Cisco ASA. Specify one or more Cisco adaptive security appliances the Web
Security appliance communicates with. The Cisco adaptive security appliance maintains an IP
address-to-user mapping and communicates that information with the Web Security appliance.
When the Web Proxy receives a transaction, it obtains the IP address and determines the user by
checking the IP address-to-user mapping. When users are determined by integrating with a Cisco
adaptive security appliance, you can enable single sign-on for remote users.
Security appliance communicates with. The Cisco adaptive security appliance maintains an IP
address-to-user mapping and communicates that information with the Web Security appliance.
When the Web Proxy receives a transaction, it obtains the IP address and determines the user by
checking the IP address-to-user mapping. When users are determined by integrating with a Cisco
adaptive security appliance, you can enable single sign-on for remote users.
For information on enabling single sign-on, see
.
Enabling Secure Mobility
To protect remote users using always-on security, first you must enable the Secure Mobility feature on
the Web Security appliance. When Secure Mobility is enabled, you can distinguish between remote users
from local users when creating Identities.
the Web Security appliance. When Secure Mobility is enabled, you can distinguish between remote users
from local users when creating Identities.
Note
You can also configure Secure Mobility using the CLI. For more information, see
Step 1
Navigate to the Security Services > AnyConnect Secure Mobility page, and click Enable.
Step 2
Read the terms of the AnyConnect Secure Mobility License Agreement, and click Accept.
Step 3
Verify the Enable AnyConnect Secure Mobility field is enabled.
Configure how to identify remote users, by IP address or by integrating with one or more Cisco adaptive
security appliances. For more information, see
security appliances. For more information, see
.