Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3531
Views
0
Helpful
4
Replies

Cisco WSA Block Internet Access

scottkoontz
Level 1
Level 1

‎04-05-2016 03:03 PM - edited ‎03-08-2019 05:39 PM

We would like to block proxy access to the Internet for a group of workstations and servers based on AD Group membership.  Is this possible?  If not, what is the best approach to blocking Internet access for specific Windows workstations and servers?

Thanks.

Labels:
0 Helpful
4 Replies 4

Handy Putra
Cisco Employee
Cisco Employee

‎04-06-2016 04:46 PM

Yes you can block all access based on AD group, to do this:

1. enable authentication in the WSA (creating authentication realm and join to domain)

2. Create Identity and enable authentication in the Identity by selecting the authentication realm you just created and also select the authentication surrogate for it.

3. Create policies (Access Policy for HTTP and Decryption policy for HTTPS -  of HTTPS proxy is enabled) and use the Identity that you just created and select specific AD group for that policy.

4. Then in that policy you can set the level of access based on the pre-define categories or custom categories or you can set all block.

The other way to do this if you do not want to enable authentication in the appliance or based on AD groups and if you know the IP addresses or subnet for the specific windows workstations and servers. You can create Identity and enter the members by subnets for the IP addresses or subnets, then create policy for that Identity to block all access.

0 Helpful

fasteddye
Level 1
Level 1
In response to Handy Putra

‎04-08-2016 12:43 PM

We are looking to do something similar for a few PCs that will have static IPs so I would probably use the method without authentication.  However, would there be a way to create a policy that would allow access for updates (ex. Windows Updates, etc.) but block all other internet access?

Thanks.

0 Helpful

Handy Putra
Cisco Employee
Cisco Employee
In response to fasteddye

‎04-11-2016 04:29 PM

you can create a custom URL category for windows updates and put such as .windows.com, .windowsupdate.com or any domain that windows updates are using.

Then include that custom url category to your policy and set it to allow while all other predefine categories set to block.

0 Helpful

Peter Koltl
Level 7
Level 7

‎05-22-2016 01:59 AM

Windows and Acrobat updates can be specified in an Identity Profile so you don't need to create an URL category for that

0 Helpful
Customers Also Viewed These Support Documents