Cisco Cisco Web Security Appliance S670 Guía Para Resolver Problemas
Proxy Address Control (PAC) files These are proxy−automatic scripting files that determine how
each URL should be handled on a browser based on the written functions within it. It has the feature
to forward the same URL always directly or to the same proxy.
each URL should be handled on a browser based on the written functions within it. It has the feature
to forward the same URL always directly or to the same proxy.
•
Auto discovery This describes the use of DNS/DHCP methods in order to obtain PAC files
(described in the previous consideration). Usually, these first three considerations are combined into
one solution. However, this can be complicated and many user−agents, such as Microsoft Office,
Adobe Downloader, Javascripts, and Flash, cannot read PAC files at all.
(described in the previous consideration). Usually, these first three considerations are combined into
one solution. However, this can be complicated and many user−agents, such as Microsoft Office,
Adobe Downloader, Javascripts, and Flash, cannot read PAC files at all.
•
Web Cache Control Protocol (WCCP) This protocol (especially WCCP Version 2) provides a robust
and very powerful way to create load−balancing between several WSAs and also incorporate high
availability.
and very powerful way to create load−balancing between several WSAs and also incorporate high
availability.
•
Separate load−balancing appliance(s) Cisco recommends that you use load−balancers as dedicated
machines.
machines.
•
Firewalls
Here are some Firewall considerations that you can implement in order to ensure the best network behavior:
Ensure that Internet Control Message Protocol (ICMP) is allowed throughout the network from each
source. This is vital, as the WSA depends on the path Maximum Transition Unit (MTU) discovery
mechanism, as described in RFC 1191, which depends on ICMP Echo requests (type 8) and Echo
replies (type 0), and ICMP unreachable−fragmentation is required (type 3, code 4). If you disable path
MTU discovery on the WSA with the pathmtudiscovery CLI command, then the WSA uses the
default MTU of 576 bytes, as per RFC 879. This impacts performance due to increased overhead and
a reassembly of packets.
source. This is vital, as the WSA depends on the path Maximum Transition Unit (MTU) discovery
mechanism, as described in RFC 1191, which depends on ICMP Echo requests (type 8) and Echo
replies (type 0), and ICMP unreachable−fragmentation is required (type 3, code 4). If you disable path
MTU discovery on the WSA with the pathmtudiscovery CLI command, then the WSA uses the
default MTU of 576 bytes, as per RFC 879. This impacts performance due to increased overhead and
a reassembly of packets.
•
Ensure that there is no asymmetrical routing inside of the network. While this is not a problem on the
WSA, any Firewall that is encountered along the path drops the packets because it has not received
both sides of the communication.
WSA, any Firewall that is encountered along the path drops the packets because it has not received
both sides of the communication.
•
With Firewalls, it is very important to exclude the WSA IP addresses from threats as regular end
computer stations. The Firewall might blacklist the WSA IP addresses due to too many connections
(as per general Firewall knowledge).
computer stations. The Firewall might blacklist the WSA IP addresses due to too many connections
(as per general Firewall knowledge).
•
If Network Address Translation (NAT) is employed for any WSA IP address on the customer
premises device, ensure that each WSA uses a separate outside global address in the NAT. If you use
NAT for multiple WSAs that have a single outside global address, you might encounter these issues:
premises device, ensure that each WSA uses a separate outside global address in the NAT. If you use
NAT for multiple WSAs that have a single outside global address, you might encounter these issues:
All of the connections from all of the WSAs to the outside world use a single outside global
address, and the Firewall quickly runs out of resources.
address, and the Firewall quickly runs out of resources.
♦
If there is a spike of traffic towards that single destination, the destination server might
blacklist it and cut off the entire enterprise from access to this resource. This might be a
valuable resource as the company Cloud storage, the Office Cloud connections, or the
per−computer antivirus software updates.
blacklist it and cut off the entire enterprise from access to this resource. This might be a
valuable resource as the company Cloud storage, the Office Cloud connections, or the
per−computer antivirus software updates.
♦
•
Identities
Remember that the logical AND principle applies in all components of the identity. For example, if you
configure both the user−agent and IP address, it means the user−agent from this IP address. It does not mean
the user−agent or this IP address.
configure both the user−agent and IP address, it means the user−agent from this IP address. It does not mean
the user−agent or this IP address.