Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2230
Views
0
Helpful
0
Comments

Cisco Secure Web Integration with Azure Stack Hub

Mohit Soni
Cisco Employee
Cisco Employee

‎03-10-2021 12:09 PM - edited ‎03-31-2021 10:13 PM

This document is a deployment guide for Cisco and Microsoft engineers, partners, and customers who want to run Cisco’s Secure Web Appliance (WSA) with an Azure Stack Hub. 

Product Description

Cisco Secure Web Appliance (WSA) is an all-in-one, highly secure on-premise and public cloud web gateway that offers broad protection, extensive controls, and investment value. It provides an array of competitive web security deployment options, each of which includes Cisco’s market-leading global threat intelligence infrastructure. WSA uses an integrated approach to help disparate security point solutions, triangulate information for faster identification, and effectively mitigate and remediate threats.

 

Azure Stack Hub extends Azure by providing a way to run applications in an on-premises environment and deliver Azure services within the datacenter. Organizations are increasingly moving towards the public cloud. However, certain workloads remain on-premise due to business requirements, technological limitations and regulations.  Azure Stack Hub provides a hybrid cloud approach to manage all applications and workloads.

 

Cisco Secure Web Appliance (WSA) and the Azure Stack Hub provide a comprehensive, easy-to-deploy solution that helps organizations efficiently monitor and control web traffic from leaving the Azure Stack Hub. The solution enforces policies to assure protection, whether using HTTP/HTTPS, File Transfer Protocol (FTP), or Secure Sockets Layer (SSL) for data transfer over the Web.

 
 

Screenshot 2021-04-01 at 10.42.27 AM.png

 

WSA Configuration Setup:

  • Run the WSA System Setup Wizard before configuring WSA policies and rules.
  • Deployment options for Cisco Secure Web Appliance are explicit forward mode or transparent mode.
  • Cisco recommends configuring high availability for redundancy purposes. Refer to the User Guide for further information.
  • Configure Custom URL Categories for Azure Stack Hub services.
  • Configure Pass-Through and Allow action for Custom URL categories under Decryption and Access Policy, respectively.

Configure the Cisco Secure Web Appliance to allow traffic generated from the Azure stack hub:

 

Step 1: Deploy and install Cisco Secure Web Appliance. Refer to WSA Install Guides:

 

Step 2: Run the System Setup Wizard to complete the WSA initial network-level configuration and to initialise the proxy service.

  • Navigate to System Administration > System Setup Wizard to start the configuration wizard.
  • After System Setup Wizard configuration, verify the Proxy settings WSA UI > Security Service > Proxy Service

 

Step 3: Enable HTTPS Proxy

 

image.png

Step 4: Configure Custom URL Categories

 

  1. Add a Custom Category name “Identity” and add the URLs and Regex listed below:

URL List:

.graph.chinacloudapi.cn

.graph.cloudapi.de

.graph.windows.net

.login.chinacloudapi.cn

.login.microsoftonline.com

.login.microsoftonline.de

.login.microsoftonline.us

.login.windows.net

.management.azure.com

.management.core.windows.net

.msauth.net

.msftauth.net

.msocdn.com

.office.com

.secure.aadcdn.microsoftonline-p.com

 

Regex list:

https://secure.aadcdn.microsoftonline-p.com 

www.office.com 

https://login.microsoftonline.us/ 

https://graph.windows.net/* 

https://login.chinacloudapi.cn/ 

https://graph.chinacloudapi.cn/ 

https://login.microsoftonline.de/ 

https://graph.cloudapi.de/ 

https://management.azure.com 

https://management.core.windows.net 

https://*.msftauth.net

https://*.msauth.net

https://*.msocdn.com

 

  1. Add a Custom Category name “Marketplace Syndication” and add the URLs and Regex listed below:

URL List:

.azureedge.net

.blob.core.usgovcloudapi.net

.blob.core.windows.net

.management.azure.com

.management.usgovcloudapi.net

 

Regex list:

https://management.azure.com 

https://management.usgovcloudapi.net/ 

https://*.blob.core.windows.net

https://*.azureedge.net

https://aka.ms/* 

https://feedback.azure.com/* 

https://windowsazure.uservoice.com/* 

https://go.microsoft.com/* 

https://azure.microsoft.com/* 

 

  1. Add a Custom Category name “PatchUpdate” and add the URLs and Regex listed below:

URL List:

.azureedge.net

 

Regex List:

https://aka.ms/azurestackautomaticupdate 

https://*.azureedge.net

http://go.microsoft.com/* 

 

  1. Add a Custom Category name “Registration” and add the URLs and Regex listed below:

URL List:

.login.microsoftonline.com

.management.azure.com

.management.chinacloudapi.cn

.management.usgovcloudapi.net

 

Regex List:

https://management.azure.com 

https://management.usgovcloudapi.net/ 

https://management.chinacloudapi.cn 

https://login.microsoftonline.com/* 

 

  1. Add a Custom Category name “Usage” and add the URLs and Regex listed below:

URL List:

.trafficmanager.cn

.trafficmanager.net

.usgovtrafficmanager.net

 

Regex List:

https://*.trafficmanager.net

https://*.usgovtrafficmanager.net

https://*.trafficmanager.cn

 

  1. Add a Custom Category name “Window Defender” and add the URLs and Regex listed below:

URL List:

.download.microsoft.com

.secure.aadcdn.microsoftonline-p.com

.update.microsoft.com

.wd.microsoft.com

.wdcp.microsoft.com

.wdcpalt.microsoft.com

 

Regex List:

https://secure.aadcdn.microsoftonline-p.com 

 

  1. Add a Custom Category name “CRL” and add the URLs and Regex listed below:

URL List:

.ctldl.windowsupdate.com

 

Regex List:

http://crl.microsoft.com/pki/crl/products 

http://mscrl.microsoft.com/pki/mscorp 

http://www.microsoft.com/pki/certs 

http://www.microsoft.com/pki/mscorp 

http://www.microsoft.com/pkiops/crl 

http://www.microsoft.com/pkiops/certs 

http://ctldl.windowsupdate.com/* 

 

  1. Add a Custom Category name “Diagnostic Log Collection” and add the URLs and Regex listed below:

URL List:

https://azsdiagppelocalwestus02.blob.core.windows.net 

https://azsdiagppewestusfrontend.westus.cloudapp.azure.com 

https://azsdiagprdwestusfrontend.westus.cloudapp.azure.com 

 

Regex List:

 

  1. Add a Custom Category name “portal” and add the URLs and Regex listed below:

URL List:

portal.3171r02a.azcatcpec.com

 

Regex List:

https://docs.microsoft.com/* 

 

After configuring the custom URL categories in the previous steps, the categories list should look like this:

image.png

Cisco recommends creating separate custom URL categories to identify the traffic type, and it later helps with troubleshooting. Refer to the Microsoft documentation for reference purposes or in case the URLs change.

 

Step 5: Create a new Decryption Policy or edit an existing decryption policy and set the action to Pass Through for the custom categories configured in Step 4.

  • Navigate to UI > Web Security Manager > Decryption Policies and click on the URL Filtering column.

image.png

image.png

Step 6: Create a new Access Policy or modify an existing access policy to Allow the custom categories created in Step 4.

  • Navigate to UI > Web Security Manager > Access Policy and click on the URL Filtering column.

 

Refer to the Cisco Secure Web Appliance Best Practice Guide for further configuration guidance.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents