Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4450
Views
0
Helpful
3
Replies

CWS - getting started

David Fitzgerald
Level 1
Level 1

‎03-24-2015 02:50 PM - edited ‎03-08-2019 05:36 PM

I have inheirited a ScanSafe implementation, now called CWS.  It is not well documented, but essentially it works.    (EICAR test file gets denied). Those who implemented it are no longer around, so I'm on my own except for TAC and the community.  

The bulk of my users have the Web Security module installed as part of AnyConnect 3.1.04095.  Since it was initially installed by somebody other than me, we've changed a few things, w/o really keeping CWS as a major concern.  

  • I've upgraded the main ASA which provides VPN services from 8.x to 9.1(5).  The firewall isn't really aware of CWS, as pre 9.0 software was pretty much agnostic.  The migration guide to 8.4 didn't really say much about it, as I recall.  The ASA no Primary or Backup Server defined, and it has no License Key defined.  The AnyConnect clients seem to work anyways, conceivably because they were pushed with a valid package way back when.
  • I've added a couple more ASAs which are also unaware of the CWS infrastructure.  CWS is also unaware of them.
  • Through the Profile Editor and the ScanSafe portal, we've added some exceptions and we appear to have successfully migrated to the Next Generation Tower (NGT) infrastructure, including at least two outages.  The bulk of our changes have used the Hosted Config default file and the Profile Editor and not the default.PAC file.  The default.PAC file has been updated to reflect the NGT.  I've not a clue what the PAC file is for, or what the two options accomplish, or why I would choose one over the other.

I want to be able to completely understand this thing.  My problem appears to be that there just isn't just documentation on it. I have copies of the October 2014 AnyConnect Web Securty Deployment Guide, and also the ScanCenter Admin Guide R5.2, revised through 17-Mar-15

These guides seem to explain HOW to do various things, but are short on the WHY or WHAT it accomplishes sort of material.  I'm extremely reluctant to start poking around on my production firewall just to figure it all out, as this is viewed as a CLM - career-limiting move.

I see that there is a 5 day class (SASAA) for advanced ASA security, and from what I can tell, maybe one day is spent on CWS, and it is doubtful if it includes any NGT.  Sorry, I'm not really open to wasting a week of my time and my company's funds on something that may or may not pertinent.

My VAR (a big one) doesn't appear to have a lot of depth with CWS, and I'm working with Cisco on other suitable arangements.  So I'm curious if there are any other references out there that have a bit of street smarts to them.

In the mean time, I have a couple of really simple questions.

  1. Page 7 of the Admin guide mentions Scanned IP addresses.  Since I'm using ASAs on my perimeter, and my internal IPs are all RFC 1918, I'll want to use any egress/NAT addresses for my firewalls.  I get that.  Do I want to add my egress router IPs as well, as they are between the firewalls and the CWS infrastructure?
  2. Chapter 3 talks about User Management and Groups.  If all of my users are in AD, do I really need to worry about groups.  Why?  My users do not have Admin rights. One size could fit all.  
  3. Chapter 3 also mentions "Connector".  Notifications on the portal also mentions this.  Why do I need this?
  4. Chapter 5 gets into Authentication, and the current Company Key is completely unknown to me.  Page 24 of the Admin guide suggests that I merely need to Revoke the key and then create a new one.  OK, so I revoke the key and then create a new one.  That sounds like it might break all of my users.  Again, this would be another CLM.  Is there some means of recovering a company key?  I'm assuming that all of my ASAs would like to know this little tidbit.
  5. Speaking of the ASAs, the whole NGT thing seems to revolve around names like accessXXX.cws.sco.cisco.com and their related IP addresses (108.171.x.x) , while my DART bundle seems to indicate that in my case, my AnyConnect client is failing miserably, even while it states that Web Security is enabled. On other machines, I see a lot of 80.254.x.x IPs, which I believe are the old generation of web proxies.  Again, the EICAR file is being rejected by alert.scansafe.net, but I can't tell if this is old gen or next gen talking to me.

 

 

 

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎03-24-2015 10:23 PM

Hello David,

Profile Editor is used to update AnyConnect Web Security profile, and PAC file is typically used within your organization as an explicit proxy settings.

Here is more information on how to deploy CWS using proxy settings:

http://www.cisco.com/c/dam/en/us/td/docs/security/web_security/scancenter/deployment/guide/cws_dg_standalone_101714.pdf

 

To answer your questions:

1) Scanning IP is normally used when you point your proxy settings directly to CWS or using PAC file to redirect traffic to CWS. It will be your external NATed IP that CWS will see your IP Address as. The method of pointing your proxy settings on the browser is called explicit proxy. Scanning IP is typically used when the redirection method is explicit. The PDF above will have that information.

2) The Groups configuration on the portal is only required if you have different AD Group policies that you need to apply to different web filtering policies on. If your organization only requires the same rule for everyone, you can safely ignore those.

3) Connector is used to integrate with AD and redirect traffic to CWS. Here are the different Connector that customer can use as a method to redirect web traffic to CWS:

http://www.cisco.com/c/dam/en/us/products/collateral/security/cloud-web-security/solution_overview_c96-721282.pdf

4) Currently your ASA is not configured as a Connector to redirect traffic to cloud. The redirection method that is used is AnyConnect Web Security, and the authentication key is linked on the AnyConnect Web Security profile. Here is more information on AnyConnect Web Security deployment:

http://www.cisco.com/c/dam/en/us/products/collateral/security/cloud-web-security/cws_anyconnect.pdf

5) You will see that some towers are NGT, and some aren't. To confirm whether you are connecting to NGT tower, you can browse to http://whoami.scansafe.net. If you see proxy listed as 10xxx, those are NGT tower. For AnyConnect, it depends on which site you are connecting to, ie: East Coast, West Coast, etc to connect to different towers.

 

Hope that helps.

0 Helpful

David Fitzgerald
Level 1
Level 1
In response to Jennifer Halim

‎03-25-2015 07:50 AM

Jennifer, thanks for the pointers.  Of course, now I have more questions...

The first link you included was for the Standalone deployment guide.  The document appears to have a bunch of things that look like links, but they, are in fact not links, at least according to two browsers and Acrobat.    So all the collateral videos and what-have-you that Cisco took the time to create are completely useless to me.  Very annoying.

Page 1 lists additional deployment methods.  I believe that historically, and I could be wrong, the person who implemented the solution here went with the AnyConnect method.  I say that because at the time, the ASA we used was pre 8.4, and offered no direct support for ScanSafe. The bulk of my users still have that setup, as far as I can tell. Now that the 5520 is at 9.1.5, there is ScanSafe support, so I believe I could switch to the ASA with CWS Connector method.  Because the links are not valid, I don't know where all of these documents actually live.    I am finding competing design guides (CVDs) vs the various Deployment guides, and am sorting through those.

I do not believe we are using a Standalone deployment because the Proxy settings on my browser are not set.  I want to update my users AnyConnect clients to a more recent version, and I need to ensure we don't break anything in the process.

I did find a "Proxy Authentication License Key" in a recent Profile Editor file "default" file that I downloaded from the CWS portal.  Is this the key I'd also enter on the ASAs.

Typically we've deployed AnyConnect via a pre-deploy method.  I's like to also enable web-deploy, and have those two methods match 100%.

 

Moving on to your other points, I'm going to ignore groups.

 

Does switching methods have any effect on existing users?

 

 

 

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to David Fitzgerald

‎03-27-2015 12:59 AM

Apology for inaccessible links within the document, we are getting it sorted asap. In the mean time, here are the videos for your reference:

Verify connection to a Proxy

Authentication license key creation and management

Configure a PAC file

Host a PAC file in the cloud

Configure clients to use a PAC file

How to configure ASA Connector

How to configure ACL White Listing on ASA Connector

How to configure User Identity for ASA Connector

 

You are right in regards to why AnyConnect might have been chosen in the past as ASA Connector is only supported from version 9.x, and 9.1.5 and above is the recommended version.

 

The benefit of using AnyConnect Web Security is users are protected whether they are in the corporate network or outside of corporate network as they take their laptop home/internet kiosks/etc. ASA Connector will redirect traffic to CWS for corporate network only, and for user granularity, you will need to integrate ASA with CDA.

Alternatively, you can have hybrid where corporate network uses ASA Connector to redirect traffic to cloud, and AnyConnect Web Security is used when user leaves the corporate network.

0 Helpful
Customers Also Viewed These Support Documents