Cisco Cisco ScanSafe Web Security
Cisco CWS - ISR G2 Deployment Guide
6
Test
Deploy
Prepare
whitelist header user-agent regex allowed_user-agents
Configuring LDAP Server
aaa new-model
aaa group server ldap scansafe
server ss-ldap
ldap server ss-ldap
ipv4 <ldap server ip>
transport port 3268
bind authenticate root-dn "<service account distinguished name>" password
aaa group server ldap scansafe
server ss-ldap
ldap server ss-ldap
ipv4 <ldap server ip>
transport port 3268
bind authenticate root-dn "<service account distinguished name>" password
<server account password>
base-dn "<search base distinguished name>"
search-filter user-object-type user
authentication bind-first
search-filter user-object-type user
authentication bind-first
Configure user identity
aaa authentication login ss-aaa group scansafe
aaa authorization network ss-aaa group scansafe
aaa accounting network ss-aaa none
ip admission virtual-ip 1.1.1.1 virtual-host proxy
ip admission name ssauth ntlm passive inactivity-time 60
ip admission name ssauth order ntlm
ip admission name ssauth method-list authentication ss-aaa authorization ss-
aaa accounting ss-aaa
interface GigabitEthernet0/0
ip admission ssauth
ip http server
aaa authentication login default none
aaa authorization exec default none
For user authentication to work, the client must be able to resolve "proxy" to the IP address 1.1.1.1. For
testing purposes, edit the hosts file on a client to include an entry for this IP address. In production, create
an A record in DNS.
aaa authorization network ss-aaa group scansafe
aaa accounting network ss-aaa none
ip admission virtual-ip 1.1.1.1 virtual-host proxy
ip admission name ssauth ntlm passive inactivity-time 60
ip admission name ssauth order ntlm
ip admission name ssauth method-list authentication ss-aaa authorization ss-
aaa accounting ss-aaa
interface GigabitEthernet0/0
ip admission ssauth
ip http server
aaa authentication login default none
aaa authorization exec default none
For user authentication to work, the client must be able to resolve "proxy" to the IP address 1.1.1.1. For
testing purposes, edit the hosts file on a client to include an entry for this IP address. In production, create
an A record in DNS.
Troubleshooting commands
sh cws statistics
sh cws summary
sh cws session active
sh cws session history <1-512>
sh cws summary
sh cws session active
sh cws session history <1-512>
Bypass ip admission (auth)
ip admission name ntlm-rule ntlm list ssauth
ip access-list extended ssauth
permit ip <corporate ip> <wildcard mask> any any
ip access-list extended ssauth
permit ip <corporate ip> <wildcard mask> any any
Bypass HTTPS filtering:
ip access-list extended matchHTTPS
permit ip any any eq 443
cws whitelisting
whitelist acl name matchHTTPS
permit ip any any eq 443
cws whitelisting
whitelist acl name matchHTTPS