Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

New To WSA, coming from Trustwave M86

New to WSA. I have good exp with Trustwave M86 products and websense.

 

Some out of the gate questions/tasks:

 

Where in the WSA do I check my licensing? How is this licensed? Per user? Per connection?

Current deployment is proxy, would like to redeploy using WCCP? What caveats if any with WCCP deployment?

How does this define authentication? Trustwave used source IP, or AD for the most part? Can this use AD or RADIUS/TACACS?

I understand that I can run a VM in addition to my two physical appliances, licensing is ok for this as long as I do not exceed my licensing, thus the reason to know how to look up current licensing. I would like to run vm in DMZ for guest wireless.

Any help with these basic things would be great. I am going to dive into the documentation now for a long night.

 

Thanks.

  • Web Security
Everyone's tags (5)
4 REPLIES

Its licensed per user for the

Its licensed per user for the various pieces, but its on your honor.  No count of users is kept.

 

WCCP: What are you using for WCCP?  There are some architectural requirements if you're using an ASA, and make sure you're running recent code...early ASA 8.x stuff had issues.

 

The box can use AD.  You can define various things (IPs, user agent, etc...) that don't require authentication (eg servers that go get their stuff automatically).  It can do tranparent auth, where users get authed on first web hit with browser and the users don't see anything.   It tracks who's authed where by "surrogates", IP or cookie (which doesn't work for some things, like apps that don't use cookies)

 

You probably want to deploy a CDA though.  It gets auth info from AD and passes it to the WSAs so they know before the user hits a site.  That way apps that aren't web based can still go out without the user having to hit a web page first.

 

Basically, you're covered for licensing to build as many VMs as you want, licenced per seat in your enterprise...

 

 

 

New Member

Struggling with this

Struggling with this deployment a bit. I have enabled WCCP on my ASA's from what I can tell its working from debug wccp events, and packet output. I cant seem to get policies working. How does authentication work with wccp transparent? Do I need to use a AD agent model to accomplish this? I created a custom URL category called test, added facebook to the list. then created an identity called test, defined my test PC IPs address and selected my AD domain as the Realm that I configured, surrogate type is IP address. I then created an access policy called test, selected my test identity > all authenticated users > no advanced options. When I go to the client I can get to facebook which I put in the list. Plus I logged on to the pc with local creds, not domain creds, so I assumed to get prompted for user and password, but didn't. please help.

 

With Transparent WCCP and an

With Transparent WCCP and an AD realm, you get authed automatically with IE, (and Firefox and Chrome? ) because the WSA feeds the browser with an auth request and IE just does it.

If you use something that doesn't handle web auth (Outlook, the MS connectivity status doohickey), they can't get out until you auth with the browser.... You can use the CDA (eg an agent) to get around this... but save that for later...

What's your surrogate timeout?  It may still have you logged in on that IP....  (Network/Authentication)  You can clear it by going to the CLI, enter "authcache" and use "flushall" or "flushuser"

 

 

New Member

Maybe my wccp config on the

Maybe my wccp config on the asa is not correct. I see the redirect count going up, but cant get to anything internet on client. 16.22 and .16.23 are the WSA. I know that only one wccp server is supported with wccp on the asa, but I have both there now in the event one dies. Maybe the way this is setup for testing is a bad design. My client, ASA inside interface and WSA P1 ports are all on the same subnet. Normally I would have a the ASA inside interface connected to my core 4500's on a separate vlan or even layer 3 links, the WSA's in a separate vlan and clients in different vlans as well. but I cant throw this on my core yet

93
Views
0
Helpful
4
Replies