Cisco Cisco NAC Appliance 4.1.0
5-41
Cisco NAC Appliance - Clean Access Server Installation and Administration Guide
OL-12213-01
Chapter 5 Clean Access Server Managed Domain
Configure Proxy Server Settings on CAS
Configure Proxy Server Settings on CAS
By default, the Clean Access Server redirects client traffic on ports 80 and 443 to the login page. If users
on your untrusted network are required to use a proxy server and/or different ports, you can configure
the CAS with corresponding proxy server information in order to appropriately redirect HTTP/HTTPS
traffic client traffic to the login page (for unauthenticated users) or HTTP/HTTPS/FTP traffic to allowed
hosts (for quarantine or Temporary role users). You can specify:
on your untrusted network are required to use a proxy server and/or different ports, you can configure
the CAS with corresponding proxy server information in order to appropriately redirect HTTP/HTTPS
traffic client traffic to the login page (for unauthenticated users) or HTTP/HTTPS/FTP traffic to allowed
hosts (for quarantine or Temporary role users). You can specify:
•
Proxy server ports only (for example, 8080, 8000)—this is useful in environments where users may
go through a proxy server but not know its IP address (e.g. university).
go through a proxy server but not know its IP address (e.g. university).
•
Proxy server IP address and port pair (for example, 10.10.10.2:80) — this is useful in environments
where the IP and port of the proxy server to be used are known (e.g. corporate/enterprise).
where the IP and port of the proxy server to be used are known (e.g. corporate/enterprise).
To Specify Proxy Server Settings on the CAS
1.
Go Device Management > Clean Access Servers > Manage [CAS_IP] > Advanced > Proxy.
Figure 5-23
Proxy Settings for Client Traffic
2.
Type the port number or IP:port of the proxy server. Separate multiple entries with commas, for
example: 3128,8080,8000,10.10.10.2:6588,10.10.10.2:3382.
example: 3128,8080,8000,10.10.10.2:6588,10.10.10.2:3382.
Note
For better security, it is strongly recommended to specify both IP and port for the proxy server.
This causes the CAS to intercept only those requests from the IP address specified. Either port
or IP:port must be specified for the proxy server; you cannot specify an IP address alone.
This causes the CAS to intercept only those requests from the IP address specified. Either port
or IP:port must be specified for the proxy server; you cannot specify an IP address alone.
Note
Port 80 (and 443) are not supported as proxy ports.
3.
Click Update to save settings.
To Configure the CAS to Parse Host Policy Traffic
When the “Parse Proxy Traffic for Roles other than Unauthenticated Role” option is enabled for an
individual CAS (under Device Management > CCA Servers > Manage [CAS_IP] > Filter > Roles >
Allowed Hosts), the CAS will check the payloads of GET, POST and CONNECT HTTP/HTTPS/FTP
requests to make sure that the host is on the host policy list before allowing traffic to the proxy server
individual CAS (under Device Management > CCA Servers > Manage [CAS_IP] > Filter > Roles >
Allowed Hosts), the CAS will check the payloads of GET, POST and CONNECT HTTP/HTTPS/FTP
requests to make sure that the host is on the host policy list before allowing traffic to the proxy server