topic WSA 390 Explicit Proxy Mode in Web Security

WSA 390 Explicit Proxy Mode

Bilal Ahmad — Sun, 29 Jan 2017 13:52:43 GMT

I have two Cisco WSA 390 boxes and I have the below types of users

1. Domain users which I am planning to integrate with WSA and apply the policies from WSA for Internet Access.
2. Wireless Guest which are authenticated by WLC and access the internet and these users are not part of any domain.
3. Tenant users which are located in my remote branches and are part of different domain which I have no control but these users come to my network for internet access.

For #1 I can simply use explicit proxy and I can push the proxy setting from AD group policy and users will use WSA as a proxy.
For #2 and #3 I am planning to use the PBR in my cisco Core switch. Since internet traffic from both 2 and 3 are passing through the core , can I use a PBR and direct all traffic to WSA IP? Will that work for me as I don't have the option of pushing the proxy IP in these clients.

Please advice

Thanks

You can also use WCCP. WCCP

Ravi Singh — Wed, 01 Feb 2017 19:58:53 GMT

You can also use WCCP. WCCP enables supported Cisco routers and switches to transparently redirect content requests. With transparent redirection, users do not have to configure their browsers to use a web proxy. Instead, they can use the target URL to request content, and their requests are automatically redirected to an application engine. For more information please see the below link

Configuring WCCP - Cisco

Hi Ravi

Bilal Ahmad — Thu, 02 Feb 2017 05:48:07 GMT

Hi Ravi

Thanks for the answer. I would have been using WCCP but the customer is not ready for using it. I have to use the explicit proxy mode. Can I configure it the way I have mentioned in my first topic?

Please advice

Thanks

Bilal What I think You can

Ravi Singh — Thu, 02 Feb 2017 15:35:26 GMT

Bilal What I think You can configure PBR on core switch and host the PAC file on WSA to push the proxy setting for #2 and #3. Hope this work for you

Hi Bilal,

kushsriva — Tue, 07 Feb 2017 09:01:40 GMT

Hi Bilal,

If you want to configure Explicit Proxy in your network, you can check the WPAD configuration.

The Web Proxy Auto-Discovery (WPAD) protocol is a method used by Web browsers to locate a Proxy Auto-Config (PAC) file automatically.

WPAD can use DNS or DHCP to locate a PAC file.

A DHCP server must be configured to serve an additional setting in an IP address assignment; option 252. This option specifies the exact location of the PAC file.

The file name does not need to follow any specific naming convention, however if WPAD DNS is to be used also, the file must have the file name wpad.dat.

For more information, you can refer to: http://www.cisco.com/c/en/us/td/docs/security/web_security/connector/connector3000/WPADAP.html

Thanks & Regards,

Kushagra Srivastava

Check the link below

gohussai — Sat, 29 Jul 2017 01:15:02 GMT

Check the link below

http://www.cisco.com/c/en/us/td/docs/security/web_security/connector/connector3000/WPADAP.html

Moreover Web Proxy Auto-Discovery (WPAD) protocol is a method used by Web browsers to locate a Proxy Auto-Config (PAC) file automatically.

WPAD can use DNS or DHCP to locate a PAC file.

A DHCP server must be configured to serve an additional setting in an IP address assignment; option 252. This option specifies the exact location of the PAC file.

The file name does not need to follow any specific naming convention, however if WPAD DNS is to be used also, the file must have the file name wpad.dat.