Cisco Cisco ASA 5585-X Adaptive Security Appliance Guía De Información
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 12 of 25
●
Fully qualified domain name (FQDN) or IP address of the primary or backup Cloud Web Security proxy
servers
●
License hex keys
Q. Up to 10 percent of the employees in my organization are remote. How can I extend Cisco Cloud Web
Security capabilities to those remote users?
A. Cisco Cloud Web Security capabilities are extended to remote users through the Cisco AnyConnect Secure
Mobility Client. The AnyConnect client performs a split tunneling of web and VPN traffic to eliminate the need
to backhaul Internet traffic to company headquarters, thereby supporting complex remote access use cases.
For example, if a user is traveling from the United States to Japan, AnyConnect will automatically find the
closest Cisco Cloud Web Security tower in Japan, even if the VPN tunnel is terminated to the U.S.
headquarters location.
Q. How can I enforce Web 2.0 policies on personal handhelds such as iPhone and iPad devices?
A. The Cisco AnyConnect Secure Mobility Client launches the tunnel to the Cisco ASA head end. The ASA
redirects part of tunnel traffic (ports 80 and 443) to the Cisco web security cloud for Web 2.0 application
enforcement. This entire process is transparent to the end user.
Q. Is Cisco Cloud Web Security integration available on all Cisco ASA platforms?
A. Yes. Cisco Cloud Web Security integration is available on all currently shipping Cisco ASA appliance
platforms, including the Cisco ASA 5500 Series, the Cisco ASA 5500-X Series, the Cisco ASA 5585-X
platform, and the Cisco Catalyst 6500 Series ASA Services Module. It is not yet available on the Cisco ASA
1000V Cloud Firewall.
Q. How does this integration achieve high availability?
A. There are two pieces to high availability (HA): the Cisco Cloud Web Security Tower HA and Cisco ASA
HWhen you configure Cisco Cloud Web Security tower information, you can configure a backup Cisco Cloud
Web Security tower, which automatically redirects web traffic to the secondary tower if the primary tower goes
down. If you are using Cisco ASA HA, the entire system, including the ASA and the Cisco Cloud Web Security
tower, can achieve full redundancy in either active/passive or active/active mode. In exceptional
circumstances, if both Cisco Cloud Web Security towers are unavailable (because Internet connectivity is lost,
for example), the ASA can be configured to either fail-open or fail-close.
Q. Where do I go for more information on the integrated Cisco Cloud Web Security?
A. More information on Cisco Cloud Web Security web application visibility and control can be found at:
Management
Q. How do I manage Cisco ASA 5500-X Series and 5585-X Next-Generation Firewalls?
A. You have several options for managing the Cisco ASA 5500-X Series firewalls:
●
Cisco Security Manager 4.3 or later, an off-box GUI management application, is available for managing
most of your physical network security infrastructure. The upgrade path from Cisco Security Manager 3.x to
4.3 and later is discussed
●
Command-line interface (CLI)
●
Cisco Adaptive Security Device Manager (ASDM), the ASA on-box management application