Cisco Cisco Content Security Management Appliance M1070 Mode D'Emploi

9-9

AsyncOS 9.5.x for Cisco Content Security Management Appliances User Guide

Chapter 9 Managing Web Security Appliances

Setting Up Configuration Masters to Centrally Manage Web Security Appliances

Except for the few items described in

SMA-Specific Differences when Configuring Features in

Configuration Masters, page 9-9

, instructions for configuring features in a Configuration Master are the

same as instructions for configuring the same features on the Web Security appliance. For instructions,
see the online help in your Web Security appliance or the AsyncOS for Cisco Web Security Appliances
User Guide for the AsyncOS version corresponding to the Configuration Master version. If necessary,
consult the following topic to determine the correct Configuration Master for your Web Security
appliance:

Determine the Configuration Master Versions to Use, page 9-3

All versions of Web Security user guides are available from

http://www.cisco.com/c/en/us/support/security/web-security-appliance/products-user-guide-list.html

SMA-Specific Differences when Configuring Features in Configuration Masters

When you configure a feature in a Configuration Master, note the following differences from configuring
the same feature directly on the Web Security appliance.

Table 9-1

Feature Configuration: Differences between Configuration Master and Web Security Appliance

Feature or Page

Details

All features, especially new
features in each release

For each feature that you configure in a Configuration Master, you must enable the
feature in the Security Management appliance under Web > Utilities > Security Services
Display. For more information, see

Ensuring that Features are Enabled Consistently,

page 9-10

Identities/Identification Profiles

•

See

Tip for Working with Identities/Identification Profiles in Configuration

Masters, page 9-10

•

If you have authentication realms on different Web Security appliances that have
the same name but different protocols, choose the appropriate scheme for each
desired realm in the Configuration Master.

•

The Identify Users Transparently option when adding or editing an
Identity/Identification Profile is available when a Web Security appliance with an
authentication realm that supports transparent user identification has been added as
a managed appliance.

Policies that use a Cisco Identity
Services Engine (ISE) to identify
users

Secure Group Tag (SGT) information is updated from the Web Security appliances
approximately every five minutes. The management appliance does not communicate
directly with the ISE server.

To update the list of SGTs on demand, select Web > Utilities > Web Appliance Status,
click a Web Security appliance that is connected to the ISE server, then click Refresh
Data. Repeat as needed for other appliances.

Multiple ISE servers with different data are not supported.

Access Policies > Edit Group

When you configure the Identities /Identification Profiles and Users option in the Policy
Member Definition section, the following applies if you use external directory servers:

When you search for groups on the Edit Group page, only the first 500 matching results
are displayed. If you do not see the desired group, you can add it to the “Authorized
Groups” list by entering it in the Directory search field and clicking the "Add" button.