Cisco Cisco Content Security Management Appliance M1070 Mode D'Emploi
9-9
AsyncOS 8.3.5 for Cisco Content Security Management User Guide
Chapter 9 Managing Web Security Appliances
Setting Up Configuration Masters to Centrally Manage Web Security Appliances
Tip for Working with Identities in Configuration Masters
When creating an Identity on the Security Management appliance, you have the option of making it
apply only to specific appliances. So for example, if you purchase a Security Management appliance and
want to preserve the existing Web Security appliance configurations and the policies that were created
for each Web Security appliance, you must load one file into the machine, and then add policies from
other machines by hand.
apply only to specific appliances. So for example, if you purchase a Security Management appliance and
want to preserve the existing Web Security appliance configurations and the policies that were created
for each Web Security appliance, you must load one file into the machine, and then add policies from
other machines by hand.
One way to accomplish this is to make a set of Identities for each appliance, then have policies which
refer to those Identities. When the Security Management appliance publishes the configuration, those
Identities and the policies which refer to them will automatically be removed and disabled. Using this
method, you do not have to configure anything manually. This is essentially a ‘per-appliance’ identity.
refer to those Identities. When the Security Management appliance publishes the configuration, those
Identities and the policies which refer to them will automatically be removed and disabled. Using this
method, you do not have to configure anything manually. This is essentially a ‘per-appliance’ identity.
The only challenge with this method is if you have a default policy or Identity that differs between sites.
For example, if you have a policy set for “default allow with auth” at one site and a “default deny” at
another. At this point you will need to create per-appliance Identities and policies just above the default;
essentially creating your own “default” policy.
For example, if you have a policy set for “default allow with auth” at one site and a “default deny” at
another. At this point you will need to create per-appliance Identities and policies just above the default;
essentially creating your own “default” policy.
Table 9-1
Feature Configuration: Differences between Configuration Master and Web Security Appliance
Feature or Page
Details
All features, especially new
features in each release
features in each release
For each feature that you configure in a Configuration Master, you must enable the
feature in the Security Management appliance under Web > Utilities > Security Services
Display. For more information, see
feature in the Security Management appliance under Web > Utilities > Security Services
Display. For more information, see
.
Identities
•
See
•
If you have realms on different Web Security appliances that have the same name
but different protocols, choose the appropriate scheme for each desired realm in the
Configuration Master.
but different protocols, choose the appropriate scheme for each desired realm in the
Configuration Master.
•
The Identify Users Transparently option when adding or editing an Identity is
available when a Web Security appliance with an authentication realm that supports
transparent user identification has been added as a managed appliance.
available when a Web Security appliance with an authentication realm that supports
transparent user identification has been added as a managed appliance.
SaaS Policies
The authentication option “Prompt SaaS users who have been discovered by transparent
user identification” is available only when a Web Security appliance with an
authentication realm that supports transparent user identification has been added as a
managed appliance.
user identification” is available only when a Web Security appliance with an
authentication realm that supports transparent user identification has been added as a
managed appliance.
Access Policies > Edit Group
When you configure the Identities and Users option in the Policy Member Definition
section, the following applies if you use external directory servers:
section, the following applies if you use external directory servers:
When you search for groups on the Edit Group page, only the first 500 matching results
are displayed. If you do not see the desired group, you can add it to the “Authorized
Groups” list by entering it in the Directory search field and clicking the "Add" button.
are displayed. If you do not see the desired group, you can add it to the “Authorized
Groups” list by entering it in the Directory search field and clicking the "Add" button.
Access Policies > Web Reputation
and Anti-Malware Settings
and Anti-Malware Settings
Options available on this page depend on whether Adaptive Scanning is enabled for the
relevant configuration master. Check this setting in Web > Utilities > Security Services
Display.
relevant configuration master. Check this setting in Web > Utilities > Security Services
Display.