Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
844
Views
0
Helpful
4
Replies

New To WSA, coming from Trustwave M86

Steven Williams
Level 4
Level 4

‎10-08-2014 04:45 PM

New to WSA. I have good exp with Trustwave M86 products and websense.

 

Some out of the gate questions/tasks:

 

Where in the WSA do I check my licensing? How is this licensed? Per user? Per connection?

Current deployment is proxy, would like to redeploy using WCCP? What caveats if any with WCCP deployment?

How does this define authentication? Trustwave used source IP, or AD for the most part? Can this use AD or RADIUS/TACACS?

I understand that I can run a VM in addition to my two physical appliances, licensing is ok for this as long as I do not exceed my licensing, thus the reason to know how to look up current licensing. I would like to run vm in DMZ for guest wireless.

Any help with these basic things would be great. I am going to dive into the documentation now for a long night.

 

Thanks.

Labels:
0 Helpful
4 Replies 4

Ken Stieers
VIP
VIP

‎10-09-2014 07:27 AM

Its licensed per user for the various pieces, but its on your honor.  No count of users is kept.

 

WCCP: What are you using for WCCP?  There are some architectural requirements if you're using an ASA, and make sure you're running recent code...early ASA 8.x stuff had issues.

 

The box can use AD.  You can define various things (IPs, user agent, etc...) that don't require authentication (eg servers that go get their stuff automatically).  It can do tranparent auth, where users get authed on first web hit with browser and the users don't see anything.   It tracks who's authed where by "surrogates", IP or cookie (which doesn't work for some things, like apps that don't use cookies)

 

You probably want to deploy a CDA though.  It gets auth info from AD and passes it to the WSAs so they know before the user hits a site.  That way apps that aren't web based can still go out without the user having to hit a web page first.

 

Basically, you're covered for licensing to build as many VMs as you want, licenced per seat in your enterprise...

 

 

 

0 Helpful

Steven Williams
Level 4
Level 4
In response to Ken Stieers

‎10-23-2014 09:53 AM

Struggling with this deployment a bit. I have enabled WCCP on my ASA's from what I can tell its working from debug wccp events, and packet output. I cant seem to get policies working. How does authentication work with wccp transparent? Do I need to use a AD agent model to accomplish this? I created a custom URL category called test, added facebook to the list. then created an identity called test, defined my test PC IPs address and selected my AD domain as the Realm that I configured, surrogate type is IP address. I then created an access policy called test, selected my test identity > all authenticated users > no advanced options. When I go to the client I can get to facebook which I put in the list. Plus I logged on to the pc with local creds, not domain creds, so I assumed to get prompted for user and password, but didn't. please help.

 

0 Helpful

Ken Stieers
VIP
VIP
In response to Steven Williams

‎10-23-2014 10:21 AM

With Transparent WCCP and an AD realm, you get authed automatically with IE, (and Firefox and Chrome? ) because the WSA feeds the browser with an auth request and IE just does it.

If you use something that doesn't handle web auth (Outlook, the MS connectivity status doohickey), they can't get out until you auth with the browser.... You can use the CDA (eg an agent) to get around this... but save that for later...

What's your surrogate timeout?  It may still have you logged in on that IP....  (Network/Authentication)  You can clear it by going to the CLI, enter "authcache" and use "flushall" or "flushuser"

 

 

0 Helpful

Steven Williams
Level 4
Level 4
In response to Ken Stieers

‎10-23-2014 11:13 AM

Maybe my wccp config on the asa is not correct. I see the redirect count going up, but cant get to anything internet on client. 16.22 and .16.23 are the WSA. I know that only one wccp server is supported with wccp on the asa, but I have both there now in the event one dies. Maybe the way this is setup for testing is a bad design. My client, ASA inside interface and WSA P1 ports are all on the same subnet. Normally I would have a the ASA inside interface connected to my core 4500's on a separate vlan or even layer 3 links, the WSA's in a separate vlan and clients in different vlans as well. but I cant throw this on my core yet

Preview file
98 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents