Cisco Cisco ScanSafe Web Security
Cisco CWS
– AnyConnect Web Security Deployment Guide
9
Test
Deploy
Prepare
4. The AnyConnect client downloads its config files from the resource service through a hardcoded
(IP: 46.255.41.2). The exchange is encrypted and over TCP port 443.
5. Ensure clients are using the same license key (company/group/user) which is associated with the
Hosted Config that was defined and hosted in ScanCenter.
6. Client machines running the ACWS agent must have the Thawte Primary Root CA and Thawte
SSL CA
– G2 in the Trusted Root Certification Authority Store.
Supplemental tutorial: TND (Trusted Network Detection)
Overview
TND (Trusted Network Detection) is defined as part of the AnyConnect Web Security profile, via the
Profile Editor. When used, the AnyConnect Web Security client will detect when the client is on a
trusted network (assuming that it is already breaking out securely), and disengage from intercepting
web traffic on the client.
Profile Editor. When used, the AnyConnect Web Security client will detect when the client is on a
trusted network (assuming that it is already breaking out securely), and disengage from intercepting
web traffic on the client.
A number of TND servers can be defined in the profile, and this is useful for clients that roam
between different internal networks that are already secured.
between different internal networks that are already secured.
Configuration
In the Profile Editor on the Preferences page, the admin defines all required trusted servers by their
IP or FQDN, as well as the port (default = 443 which will be used if not specified).
IP or FQDN, as well as the port (default = 443 which will be used if not specified).
The admin simply has to enter the IP address or FQDN of the internal-facing SSL server in the Profile
Editor, and upon clicking Add, Profile Editor will communicate with the SSL server to get its certificate
hash, and add it into the configuration page of Profile Editor.
Editor, and upon clicking Add, Profile Editor will communicate with the SSL server to get its certificate
hash, and add it into the configuration page of Profile Editor.
Figure 2.3
For best results, the Profile Editor should be run within the internal network when defining this so it
can access the internal-facing SSL server and get the hash. If this is not possible or if the hash is not
extracted it can be manually exported from the SSL server or via an x509 openssl command, and
then manually entered into Profile Editor (the certificate hash needs to be SHA256 hash, however the
certificate itself can be of any encryption algorithm).
can access the internal-facing SSL server and get the hash. If this is not possible or if the hash is not
extracted it can be manually exported from the SSL server or via an x509 openssl command, and
then manually entered into Profile Editor (the certificate hash needs to be SHA256 hash, however the
certificate itself can be of any encryption algorithm).