New to WSA. I have good exp with Trustwave M86 products and websense.
Some out of the gate questions/tasks:
Where in the WSA do I check my licensing? How is this licensed? Per user? Per connection?
Current deployment is proxy, would like to redeploy using WCCP? What caveats if any with WCCP deployment?
How does this define authentication? Trustwave used source IP, or AD for the most part? Can this use AD or RADIUS/TACACS?
I understand that I can run a VM in addition to my two physical appliances, licensing is ok for this as long as I do not exceed my licensing, thus the reason to know how to look up current licensing. I would like to run vm in DMZ for guest wireless.
Any help with these basic things would be great. I am going to dive into the documentation now for a long night.
Its licensed per user for the various pieces, but its on your honor. No count of users is kept.
WCCP: What are you using for WCCP? There are some architectural requirements if you're using an ASA, and make sure you're running recent code...early ASA 8.x stuff had issues.
You probably want to deploy a CDA though. It gets auth info from AD and passes it to the WSAs so they know before the user hits a site. That way apps that aren't web based can still go out without the user having to hit a web page first.
Basically, you're covered for licensing to build as many VMs as you want, licenced per seat in your enterprise...
Struggling with this deployment a bit. I have enabled WCCP on my ASA's from what I can tell its working from debug wccp events, and packet output. I cant seem to get policies working. How does authentication work with wccp transparent? Do I need to use a AD agent model to accomplish this? I created a custom URL category called test, added facebook to the list. then created an identity called test, defined my test PC IPs address and selected my AD domain as the Realm that I configured, surrogate type is IP address. I then created an access policy called test, selected my test identity > all authenticated users > no advanced options. When I go to the client I can get to facebook which I put in the list. Plus I logged on to the pc with local creds, not domain creds, so I assumed to get prompted for user and password, but didn't. please help.
With Transparent WCCP and an AD realm, you get authed automatically with IE, (and Firefox and Chrome? ) because the WSA feeds the browser with an auth request and IE just does it.
If you use something that doesn't handle web auth (Outlook, the MS connectivity status doohickey), they can't get out until you auth with the browser.... You can use the CDA (eg an agent) to get around this... but save that for later...
What's your surrogate timeout? It may still have you logged in on that IP.... (Network/Authentication) You can clear it by going to the CLI, enter "authcache" and use "flushall" or "flushuser"
Maybe my wccp config on the asa is not correct. I see the redirect count going up, but cant get to anything internet on client. 16.22 and .16.23 are the WSA. I know that only one wccp server is supported with wccp on the asa, but I have both there now in the event one dies. Maybe the way this is setup for testing is a bad design. My client, ASA inside interface and WSA P1 ports are all on the same subnet. Normally I would have a the ASA inside interface connected to my core 4500's on a separate vlan or even layer 3 links, the WSA's in a separate vlan and clients in different vlans as well. but I cant throw this on my core yet
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...