Белая книга для Cisco Cisco ScanSafe Web Security
Cisco CWS
– ASA 5500 Deployment Guide
11
Test
Deploy
Prepare
As before, the proper placement of the whitelisting ACE should occur before the ACE which forwards
traffic to the Cloud Web Security Service. This can be achieved by using line 1 in the configuration
command.
traffic to the Cloud Web Security Service. This can be achieved by using line 1 in the configuration
command.
Figure 2.13
Applying this DESTINATION_WHITELIST to the ASA should allow the test machine access to
Configure user identity
Before setting up user identity for the ASA Connector, formally known as identity firewall or IDFW, there
are a few items to have on-hand.
are a few items to have on-hand.
Reference video:
Be sure to have the following before you begin:
Service account for performing group lookups
One domain controller for group lookups
NetBIOS domain name
A s
ervice account will be needed to map the web requestor’s username to their IP address, and to
perform a group lookup of the web requestor. This service account should be an active directory user
belonging to either the domain admins or domain users group.
belonging to either the domain admins or domain users group.
Since the ASA Connector does not have a built-in method for resolving IP addresses to usernames, it
relies upon an external agent such as the Context Directory Agent (CDA). The installation and
configuration of the CDA is out of scope for this tutorial, but note that it can use the same service account
previously mentioned to map usernames to IP addresses. Consult this
relies upon an external agent such as the Context Directory Agent (CDA). The installation and
configuration of the CDA is out of scope for this tutorial, but note that it can use the same service account
previously mentioned to map usernames to IP addresses. Consult this
At least one domain controller should be configured for group lookup requests. Multiple domain
controllers can be configured for redundancy.
controllers can be configured for redundancy.
The NetBIOS domain name will be used in the user identity configuration. This is different from the DNS
domain name, and can be found in the properties of the root domain object in Active Directory Users and
Computers, or by running a gpresult on a client machine.
domain name, and can be found in the properties of the root domain object in Active Directory Users and
Computers, or by running a gpresult on a client machine.
*Note: All four sections in the text editor in the screenshots below will need to be configured for complete
user-identity and group membership discovery.
user-identity and group membership discovery.