Cisco Cisco Web Security Appliance S170 사용자 가이드
2-3
AsyncOS 9.2 for Cisco Web Security Appliances User Guide
Chapter 2 Hybrid Web Security Mode
What To Do Next
•
Register this Web Security appliance with Cisco Cloud Web Security to obtain an authorization
token. Be aware that this token is valid for one hour; if you have not used it to configure the
WSA within that time, you will have to generate another. See
token. Be aware that this token is valid for one hour; if you have not used it to configure the
WSA within that time, you will have to generate another. See
What To Do Next
•
Connect, install and configure the appliance in Hybrid Web Security mode. Refer to
for specific information.
•
As mentioned in
, if any CWS policies
to be downloaded contain HTTPS rules or authentication group rules, it is important that you
configure HTTPS proxy settings, Authentication Realms and Identification Profiles on the WSA
shortly after the System Setup Wizard (SSW) finishes configuring Hybrid Web Security mode.
Conversion and download of any CWS policies containing HTTPS rules or authentication group
rules is skipped during WSA hybrid system set-up, and will be completed only after the WSA is set
up in hybrid mode with HTTPS proxy, Authentication Realms and Identification Profiles
configured. (The conversion/download process is completed automatically, as CWS-to-WSA policy
updates occur every two minutes.)
configure HTTPS proxy settings, Authentication Realms and Identification Profiles on the WSA
shortly after the System Setup Wizard (SSW) finishes configuring Hybrid Web Security mode.
Conversion and download of any CWS policies containing HTTPS rules or authentication group
rules is skipped during WSA hybrid system set-up, and will be completed only after the WSA is set
up in hybrid mode with HTTPS proxy, Authentication Realms and Identification Profiles
configured. (The conversion/download process is completed automatically, as CWS-to-WSA policy
updates occur every two minutes.)
In CWS, an authentication realm refers to SAML and EasyID. On the WSA, the types supported are
different and usually refer to NTLM (SAML is not yet supported on the WSA). If CWS rules have
either auth-user-name or authentication groups configured, you must configure authentication
realms and custom identification profiles with authentication enabled on the WSA.
different and usually refer to NTLM (SAML is not yet supported on the WSA). If CWS rules have
either auth-user-name or authentication groups configured, you must configure authentication
realms and custom identification profiles with authentication enabled on the WSA.
–
Configure HTTPS proxy settings: see
.
–
Configure Authentication Realms and Identification Profiles: see
.
•
The Acceptable Use Policy (AUP) page on CWS and the End-User Acknowledgment (EUA) page
on the WSA are essentially the same thing: a page displayed to end-users explaining terms of access,
which users are required to click to acknowledge before proceeding.
on the WSA are essentially the same thing: a page displayed to end-users explaining terms of access,
which users are required to click to acknowledge before proceeding.
If you are using this option on CWS, you should also enable it locally on the WSA (Security Services
> End-User Notification) to provide the same required behavior for all end users. The EUA settings
must be configured locally on the WSA—they are not downloaded from CWS. You can edit the
HTML presented to end-users by the WSA to ensure that both pages have a similar “look and feel.”
> End-User Notification) to provide the same required behavior for all end users. The EUA settings
must be configured locally on the WSA—they are not downloaded from CWS. You can edit the
HTML presented to end-users by the WSA to ensure that both pages have a similar “look and feel.”
•
Some items that are configurable in Cisco ScanCenter are not yet supported for download by the
Web Security appliance. The following items must be configured directly on the appliance:
Web Security appliance. The following items must be configured directly on the appliance:
–
Email Alert Settings. Frequency of email alerts you want to receive. (An email address is
provided during configuration with the Software Setup Wizard; others can be added later.)
provided during configuration with the Software Setup Wizard; others can be added later.)
–
Customized text and other settings for Block pages and end-user alert pages.
–
Global settings such as SearchAhead, SafeSearch, Dynamic Classification Engine, Content
Range Headers, and Sandboxing.
Range Headers, and Sandboxing.
•
Note that when the WSA Hybrid software is installed or upgraded it will likely have an AVC
Signature version that does not match that of the CWS service. The WSA will not generate rules for
those applications for which there is a mismatch, but will generate rules for all matching signatures.
Signature mismatches that cannot be applied are logged. (The correct AVC Signature file will be
downloaded, generally after no more than 10 minutes.)
Signature version that does not match that of the CWS service. The WSA will not generate rules for
those applications for which there is a mismatch, but will generate rules for all matching signatures.
Signature mismatches that cannot be applied are logged. (The correct AVC Signature file will be
downloaded, generally after no more than 10 minutes.)