Cisco Cisco Content Security Management Appliance M1070 사용자 가이드
9-14
AsyncOS 9.0 for Cisco Content Security Management Appliances User Guide
Chapter 9 Managing Web Security Appliances
Publishing Configurations to Web Security Appliances
Web Proxy restarts temporarily interrupt web security services. For information about the effects of
restarting the web proxy, see the “Checking for Web Proxy Restart on Commit” section in the
AsyncOS for Cisco Web Security Appliances User Guide.
restarting the web proxy, see the “Checking for Web Proxy Restart on Commit” section in the
AsyncOS for Cisco Web Security Appliances User Guide.
•
When you publish any change to an Identity, all end-users must re-authenticate.
Special Situations
•
If you have reverted AsyncOS on the target Web Security appliance, you may need to associate a
different Configuration Master with that appliance.
different Configuration Master with that appliance.
•
If you publish a Configuration Master to a Web Security appliance that does not have a realm
configured with Transparent User Identification enabled, but you have selected Transparent User
Identification in an Identity or SaaS Policy:
configured with Transparent User Identification enabled, but you have selected Transparent User
Identification in an Identity or SaaS Policy:
–
For Identities, Transparent User Identification is disabled and the Require Authentication
option is selected instead.
option is selected instead.
–
For Saas Policies, the Transparent User Identification option is disabled and the default option
(Always prompt SaaS users for proxy authentication) is selected instead.
(Always prompt SaaS users for proxy authentication) is selected instead.
•
When you publish External DLP policies from a Security Management appliance to multiple Web
Security appliances that are not configured for RSA servers, the Security Management appliance
will send the following publish status warning:
Security appliances that are not configured for RSA servers, the Security Management appliance
will send the following publish status warning:
“The Security Services display settings configured for Configuration Master <version> do not
currently reflect the state of one or more Security Services on Web Appliances associated with
this publish request. The affected appliances are: “<WSA Appliance Names>”. This may
indicate a misconfiguration of the Security Services display settings for this particular
Configuration Master. Go to the Web Appliance Status page for each appliance provides a
detailed view to troubleshooting this issue. Do you want to continue publishing the
configuration now?”
currently reflect the state of one or more Security Services on Web Appliances associated with
this publish request. The affected appliances are: “<WSA Appliance Names>”. This may
indicate a misconfiguration of the Security Services display settings for this particular
Configuration Master. Go to the Web Appliance Status page for each appliance provides a
detailed view to troubleshooting this issue. Do you want to continue publishing the
configuration now?”
If you decide to continue to publish, the Web Security appliance that is not configured for the RSA
servers will receive the External DLP policies, but these policies will be disabled.The Web Security
appliance External DLP page will not show the published policies if External DLP Server is not
configured.
servers will receive the External DLP policies, but these policies will be disabled.The Web Security
appliance External DLP page will not show the published policies if External DLP Server is not
configured.
•
If a Configuration Master has Identities that identify and authenticate users using a realm that uses
the Kerberos scheme, then the following caveats apply:
the Kerberos scheme, then the following caveats apply:
–
Active Directory realms that were created on Web Security appliances before upgrade to
AsyncOS 8.0 for Web do not support the Kerberos authentication scheme.
AsyncOS 8.0 for Web do not support the Kerberos authentication scheme.
–
If you publish Configuration Master 8.0 to a Web Security appliance that has a realm with the
same name but without support for Kerberos, then the following occurs:
same name but without support for Kerberos, then the following occurs:
If the Scheme in the Identity
in the Configuration Master Was:
in the Configuration Master Was:
Then the Scheme in the Identity
on the Web Security Appliance Becomes
on the Web Security Appliance Becomes
Use Kerberos
Use NTLMSSP or Basic
Use Kerberos or NTLMSSP
Use NTLMSSP
Use Kerberos or NTLMSSP or Basic
Use NTLMSSP or Basic