03-10-2021 12:09 PM - edited 03-31-2021 10:13 PM
This document is a deployment guide for Cisco and Microsoft engineers, partners, and customers who want to run Cisco’s Secure Web Appliance (WSA) with an Azure Stack Hub.
Cisco Secure Web Appliance (WSA) is an all-in-one, highly secure on-premise and public cloud web gateway that offers broad protection, extensive controls, and investment value. It provides an array of competitive web security deployment options, each of which includes Cisco’s market-leading global threat intelligence infrastructure. WSA uses an integrated approach to help disparate security point solutions, triangulate information for faster identification, and effectively mitigate and remediate threats.
Azure Stack Hub extends Azure by providing a way to run applications in an on-premises environment and deliver Azure services within the datacenter. Organizations are increasingly moving towards the public cloud. However, certain workloads remain on-premise due to business requirements, technological limitations and regulations. Azure Stack Hub provides a hybrid cloud approach to manage all applications and workloads.
Cisco Secure Web Appliance (WSA) and the Azure Stack Hub provide a comprehensive, easy-to-deploy solution that helps organizations efficiently monitor and control web traffic from leaving the Azure Stack Hub. The solution enforces policies to assure protection, whether using HTTP/HTTPS, File Transfer Protocol (FTP), or Secure Sockets Layer (SSL) for data transfer over the Web.
WSA Configuration Setup:
Configure the Cisco Secure Web Appliance to allow traffic generated from the Azure stack hub:
Step 1: Deploy and install Cisco Secure Web Appliance. Refer to WSA Install Guides:
Step 2: Run the System Setup Wizard to complete the WSA initial network-level configuration and to initialise the proxy service.
Step 3: Enable HTTPS Proxy
Step 4: Configure Custom URL Categories
URL List:
.graph.chinacloudapi.cn
.graph.cloudapi.de
.graph.windows.net
.login.chinacloudapi.cn
.login.microsoftonline.com
.login.microsoftonline.de
.login.microsoftonline.us
.login.windows.net
.management.azure.com
.management.core.windows.net
.msauth.net
.msftauth.net
.msocdn.com
.office.com
.secure.aadcdn.microsoftonline-p.com
Regex list:
https://secure.aadcdn.microsoftonline-p.com
www.office.com
https://login.microsoftonline.us/
https://graph.windows.net/*
https://login.chinacloudapi.cn/
https://graph.chinacloudapi.cn/
https://login.microsoftonline.de/
https://graph.cloudapi.de/
https://management.azure.com
https://management.core.windows.net
https://*.msftauth.net
https://*.msauth.net
https://*.msocdn.com
URL List:
.azureedge.net
.blob.core.usgovcloudapi.net
.blob.core.windows.net
.management.azure.com
.management.usgovcloudapi.net
Regex list:
https://management.azure.com
https://management.usgovcloudapi.net/
https://*.blob.core.windows.net
https://*.azureedge.net
https://aka.ms/*
https://feedback.azure.com/*
https://windowsazure.uservoice.com/*
https://go.microsoft.com/*
https://azure.microsoft.com/*
URL List:
.azureedge.net
Regex List:
https://aka.ms/azurestackautomaticupdate
https://*.azureedge.net
http://go.microsoft.com/*
URL List:
.login.microsoftonline.com
.management.azure.com
.management.chinacloudapi.cn
.management.usgovcloudapi.net
Regex List:
https://management.azure.com
https://management.usgovcloudapi.net/
https://management.chinacloudapi.cn
https://login.microsoftonline.com/*
URL List:
.trafficmanager.cn
.trafficmanager.net
.usgovtrafficmanager.net
Regex List:
https://*.trafficmanager.net
https://*.usgovtrafficmanager.net
https://*.trafficmanager.cn
URL List:
.download.microsoft.com
.secure.aadcdn.microsoftonline-p.com
.update.microsoft.com
.wd.microsoft.com
.wdcp.microsoft.com
.wdcpalt.microsoft.com
Regex List:
https://secure.aadcdn.microsoftonline-p.com
URL List:
.ctldl.windowsupdate.com
Regex List:
http://crl.microsoft.com/pki/crl/products
http://mscrl.microsoft.com/pki/mscorp
http://www.microsoft.com/pki/certs
http://www.microsoft.com/pki/mscorp
http://www.microsoft.com/pkiops/crl
http://www.microsoft.com/pkiops/certs
http://ctldl.windowsupdate.com/*
URL List:
https://azsdiagppelocalwestus02.blob.core.windows.net
https://azsdiagppewestusfrontend.westus.cloudapp.azure.com
https://azsdiagprdwestusfrontend.westus.cloudapp.azure.com
Regex List:
URL List:
portal.3171r02a.azcatcpec.com
Regex List:
https://docs.microsoft.com/*
After configuring the custom URL categories in the previous steps, the categories list should look like this:
Cisco recommends creating separate custom URL categories to identify the traffic type, and it later helps with troubleshooting. Refer to the Microsoft documentation for reference purposes or in case the URLs change.
Step 5: Create a new Decryption Policy or edit an existing decryption policy and set the action to Pass Through for the custom categories configured in Step 4.
Step 6: Create a new Access Policy or modify an existing access policy to Allow the custom categories created in Step 4.
Refer to the Cisco Secure Web Appliance Best Practice Guide for further configuration guidance.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: