Cisco Cisco Web Security Appliance S690 User Guide
8-2
AsyncOS 10.0 for Cisco Web Security Appliances User Guide
Chapter 8 Integrate the Cisco Identity Services Engine
Identity Services Engine Certificates
•
pxGrid controller – In this case, the ISE pxGrid node that controls the client registration/management
and topic/subscription processes.
and topic/subscription processes.
Trusted certificates are required for each component, and these must be installed on each host platform.
About the ISE Server Deployment and Failover
A single ISE node set-up is called a “standalone deployment,” and this single node runs the Administration,
Policy Service, and Monitoring personae. To support failover and to improve performance, you must set
up multiple ISE nodes in a “distributed deployment.” The minimum required distributed ISE configuration
to support ISE failover on your Web Security appliance is:
Policy Service, and Monitoring personae. To support failover and to improve performance, you must set
up multiple ISE nodes in a “distributed deployment.” The minimum required distributed ISE configuration
to support ISE failover on your Web Security appliance is:
•
Two pxGrid nodes
•
Two Monitoring nodes
•
Two Administration nodes
•
One Policy Service node
This configuration is referred to in the Cisco Identity Services Engine Hardware Installation Guide as a
“
“
.” Refer to that network deployments section in the Installation
Guide for additional information.
Related Topics
•
•
•
•
Identity Services Engine Certificates
Note
This section describes the certificates necessary for ISE connection.
provides detailed information about these certificates.
, provides general certificate-management information for AsyncOS.
A set of three certificates is required for mutual authentication and secure communication between the
Web Security appliance and each ISE server:
Web Security appliance and each ISE server:
•
WSA Client Certificate – Used by the ISE server to authenticate the Web Security appliance.
•
ISE Admin Certificate – Used by the Web Security appliance to authenticate an ISE server on
port 443 for bulk download of ISE user-profile data.
port 443 for bulk download of ISE user-profile data.
•
ISE pxGrid Certificate – Used by the Web Security appliance to authenticate an ISE server on
port 5222 for WSA-ISE data subscription (on-going publish/subscribe queries to the ISE server).
port 5222 for WSA-ISE data subscription (on-going publish/subscribe queries to the ISE server).
These three certificates can be Certificate Authority (CA)-signed or self-signed. AsyncOS provides the
option to generate a self-signed WSA Client certificate, or a Certificate Signing Request (CSR) instead,
if a CA-signed certificate is needed. Similarly, the ISE server provides the option to generate self-signed
ISE Admin and pxGrid certificates, or CSRs instead if CA-signed certificates are needed.
option to generate a self-signed WSA Client certificate, or a Certificate Signing Request (CSR) instead,
if a CA-signed certificate is needed. Similarly, the ISE server provides the option to generate self-signed
ISE Admin and pxGrid certificates, or CSRs instead if CA-signed certificates are needed.