Cisco Cisco Content Security Management Appliance M160 Mode D'Emploi
9-14
AsyncOS 9.1 for Cisco Content Security Management Appliances User Guide
Chapter 9 Managing Web Security Appliances
Publishing Configurations to Web Security Appliances
•
To ensure that the Configuration Master will publish and that the intended set of features will be
enabled after publishing, verify the feature sets of each Web Security appliance and the associated
Configuration Master and make any needed changes. See
enabled after publishing, verify the feature sets of each Web Security appliance and the associated
Configuration Master and make any needed changes. See
and if necessary,
If different features are enabled on different Web Security appliances assigned to the same
Configuration Master, you must publish to each appliance separately, and verify and enable features
before each publish.
Configuration Master, you must publish to each appliance separately, and verify and enable features
before each publish.
•
Save a configuration file from each target Web Security appliance so that you can restore the existing
configuration in case of problems with the published configuration. See the AsyncOS for Cisco Web
Security Appliances User Guide for details.
configuration in case of problems with the published configuration. See the AsyncOS for Cisco Web
Security Appliances User Guide for details.
•
Any change that would cause a Web proxy restart when committed on the Web Security appliance
will also cause a proxy restart when you publish it from the Security Management appliance. You
will receive a warning in these situations.
will also cause a proxy restart when you publish it from the Security Management appliance. You
will receive a warning in these situations.
Proxy restarts may also occur on publish if a change requiring proxy restart has been made on the
Web Security appliance. For example, if new groups are added on the Web Security appliance to a
group authentication configuration for an access policy, the web proxy will restart the next time the
configuration master is published. You will not receive warnings about proxy restarts in these cases.
Web Security appliance. For example, if new groups are added on the Web Security appliance to a
group authentication configuration for an access policy, the web proxy will restart the next time the
configuration master is published. You will not receive warnings about proxy restarts in these cases.
Web Proxy restarts temporarily interrupt web security services. For information about the effects of
restarting the web proxy, see the “Checking for Web Proxy Restart on Commit” section in the
AsyncOS for Cisco Web Security Appliances User Guide.
restarting the web proxy, see the “Checking for Web Proxy Restart on Commit” section in the
AsyncOS for Cisco Web Security Appliances User Guide.
•
When you publish any change to an Identity/Identification Profile, all end-users must
re-authenticate.
re-authenticate.
Special Situations
•
If you have reverted AsyncOS on the target Web Security appliance, you may need to associate a
different Configuration Master with that appliance.
different Configuration Master with that appliance.
•
If you publish a Configuration Master to a Web Security appliance that does not have a realm
configured with Transparent User Identification enabled, but you have selected Transparent User
Identification in an Identity /Identification Profile or SaaS Policy:
configured with Transparent User Identification enabled, but you have selected Transparent User
Identification in an Identity /Identification Profile or SaaS Policy:
–
For Identities/Identification Profiles, Transparent User Identification is disabled and the
Require Authentication option is selected instead.
Require Authentication option is selected instead.
–
For Saas Policies, the Transparent User Identification option is disabled and the default option
(Always prompt SaaS users for proxy authentication) is selected instead.
(Always prompt SaaS users for proxy authentication) is selected instead.
•
When you publish External DLP policies from a Security Management appliance to multiple Web
Security appliances that are not configured for RSA servers, the Security Management appliance
will send the following publish status warning:
Security appliances that are not configured for RSA servers, the Security Management appliance
will send the following publish status warning:
“The Security Services display settings configured for Configuration Master <version> do not
currently reflect the state of one or more Security Services on Web Appliances associated with
this publish request. The affected appliances are: “<WSA Appliance Names>”. This may
indicate a misconfiguration of the Security Services display settings for this particular
Configuration Master. Go to the Web Appliance Status page for each appliance provides a
detailed view to troubleshooting this issue. Do you want to continue publishing the
configuration now?”
currently reflect the state of one or more Security Services on Web Appliances associated with
this publish request. The affected appliances are: “<WSA Appliance Names>”. This may
indicate a misconfiguration of the Security Services display settings for this particular
Configuration Master. Go to the Web Appliance Status page for each appliance provides a
detailed view to troubleshooting this issue. Do you want to continue publishing the
configuration now?”
If you decide to continue to publish, the Web Security appliance that is not configured for the RSA
servers will receive the External DLP policies, but these policies will be disabled.The Web Security
appliance External DLP page will not show the published policies if External DLP Server is not
configured.
servers will receive the External DLP policies, but these policies will be disabled.The Web Security
appliance External DLP page will not show the published policies if External DLP Server is not
configured.