Large Scale Control of Web(How are you doing it?)

Unanswered Question
Mar 2nd, 2010
User Badges:

I just want to start a discussion on how some of us may be controlling

web access.  I have reviewed some of the ASA features such as outbound firewall authentication but it does

not seem to scale and it does not seem to operate real well with multiple auth windows.  We have a very mixed environment with  MAC as well as PC's that may or may not be under our domain control.  Many of the managers do not want multiple authentications and just want it to happen without user intervention.

Any suggestions?  I need to be able to trace traffic back to particular users.  I also need to have varying degrees of URL filtering.

Just want to hear how some of you may be taking care of knowing who is doing what on the internet.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Wed, 03/03/2010 - 08:12
User Badges:
  • Cisco Employee,

URL filtering and auth proxy are different things.

For filtering you can use IPS URL filtering, CSC module in ASA, n2h2 and websense. The all scale quite well if your router is big enough and if you are within their specs.

Foe authenticating certain users, the CSC can define policies with AD and force them according to what group you belong in so that is pretty helpful I believe.

For the rest auth proxy authentication will be done seperately either on a router or ASA with downloadable ACLs potentially.

Just some options out there...

I hope it helps.


Kureli Sankar Wed, 03/03/2010 - 08:53
User Badges:
  • Cisco Employee,

I believe you are asking if the users can be authenticated when they open the browser to surf the web.

With websense and active directory integration you can use group policies to push changes to the browser to take the locally logged in domain login credentials (not even throw a login window) when a user tries to open IE to surf the web.

These users requests will be sent to websense and you can generate reports from websese based on the domain user ID and the sites visited.

I have implemented this in the past with great success. If you have more than 500 users this may be a good option for you.



This Discussion