Introduction:
Questions asked during the Live Expert Webcast on July 22, 2014 with Cisco subject matter expert Kureli Sankar explaining how to integrate Cisco Cloud Web Security (CWS) with the Cisco Integrated Services Router Generation 2 (ISR G2). Additionally, attendees will learn how the ISR G2 works with Cisco CWS and the necessary steps required as well as things to take into consideration when deploying Cisco CWS with Cisco ISR G2.
Related Links
Download the Slides
Watch the Presentation
General Questions:
Q: WSE in the cloud uses an ISR. So client would still need ASA correct?
A: No - you would need ISR or ASA or WSA or a standalone connector.
Q: Is configuration available as GUI through CCP as an alternate to CLI?
A: Management tools which can be used are:
- Cisco Security Manager: CLI Config.
- Prime infrastructure: It is a template based tool where we have pre-configured templates which are required to be customized according to the need of the user
Q: Can scansafe generate report based on workstation MAC addresses/IP address? Or is it only able to report on users within Active Directory. For Guest users without an AD account?
A: We can get the report based on the IP Address but not using MAC Address. This reporting works for all the users whether corporate/guest whether they use AD or not.
Q: Is demo available for customers and Partners?
A: The video recording will be available in the cisco support community within five business days. You will be able to see it from below mentioned link:
https://supportforums.cisco.com/expert-corner/knowledge-sharing
You would need your own scancenter account and then you can do the exact demo our expert Kureli is doing. Typically SEs get their own account and the way to get an account is through sending a request as detailed in:
http://sswiki.cisco.com/index.php/Labs#Cisco_SE.27s_and_other_Employees
There is something called NFR accounts to registered partners. The wiki page talks about how that is done.
Q: Is there any collaboration with Cisco PSIRT and scansafe virus detection?
A: Absolutely, our SIO and PSIRT Team monitors the the process. When "heartbleed" came into action we got the information at early stage and we were able to come up with fixes and patches. Yes collaboration between both teams enables a swift and prompt action.
Q: As soon as I enable content scan internet access becomes slow. How do I troubleshoot it?
A: We have come across couple of cases describing the above mentioned issue.As Geographical Identification of Primary and Secondary tower is done by ISR. Sometimes while recording the locations there could be a mis-match entry of tower location for eg. ISR shows Primary tower in "Florida" geographically but physically it may be connected to a tower somewhere in "California", hence a mis-match configuration results in slow access of internet as an extra hop is added. User need to get in sync with CWS team. So that such mis-match could be rectified and avoided.
Q: �When I reboot the router the towers do not come back up. It takes a while and I have to remove and re-add the parameter-map.
A:This is a rare issue which occurs due to Crypto ISN module used in ISR G2 router. The issue is already resolved and patched in v15.4 which will be available very soon.
Q: �I configured CWS but the towers always show down. How can I troubleshoot?
A: This is a very simple issue, this happens when we have mis-configuration of source interfaces on ISR which reaches to tower. The interfaces checks the tower's availability by sending ICMP echo packet on port 80.
Q: �Is there a free trial where I can test CWS for a certain number of days, weeks or months?
A: Yes there is a 45 days Evaluation license available for the users. User need to reach to Cisco Local Account team for the same.
Q: �Is CWS compatible with ZBF? How about IOS-IPS?
A: Yes, CWS is compatible with ZBF and IOS IPS.
Q: Why do I get some other country’s/region home page when I use the CWS service?
A: If user is in US ideally he should get US google or yahoo page. You get different page because might be that Country doesn't support tower allocation and unwillingly user has to send traffic through other country. Country which doesn't support are China,UAE.
Q: I am not able to access the Intranet websites, when CWS is turned on?
A: For this you need to add your "intranet" websites under "white list".
Q: What’s the maximum concurrent session we support with CWS solution?
A: Approximately 32000 concurrent sessions can be achieved.
Q: I have an existing proxy in my setup, does CWS Solution will work on top of it ? Or I need any change in my existing network?
A: You would require change in setup because once CWS receives the packet it transfers them towards the towers and changes the destination IP along with port number (80,443 to 80). If you have proxy then proxy will change destination IP and will send data on 8080. So changes should be made in ISR to read traffic coming from 8080 also else it will keep denying. User would require a NAT device inside for the conversation.
Q:Does IPV6 support CWS Solution?
A: Currently IPV6 is not supported. Product Management team is already working over it.
