To be able to configure an ISR for content-scan so HTTP and HTTPS requests will be sent out to the scansafe towers and depending on the response received, users will either be allowed or denied loading the sites.
ISR should be running a minimum code version 15.2(1)T1 or above.
Available in IOS (universal) images with security feature set (SEC) license.
800, 1900, 2900 and 3900 series ISRs
Platforms NOT Supported:
G1's 18xx, 28xx, 38xx
The maximum number of sessions that can be handled is 32K, irrespective of platform.
Step by Step:
Configure the parameter-map (required):
parameter-map type content-scan global
server scansafe primary ipv4 126.96.36.199 port http 8080 https 8080
server scansafe secondary ipv4 188.8.131.52 port http 8080 https 8080 license 0 <license key> user-group ciscogroup username ciscouser source interface g0/0
The license key here is actually called an authentication key that you get for your site (one per company) from scan safe. Depending on the geographical location of the sites, scansafe provides the tower IP addresses. One is the primary and the other is the secondary tower. When one goes down the other one automatically takes over.
In this case the router when proxying the HTTP and HTTPS requests to scansafe towers, it will use the g0/0 interface IP for the source of those packets.
If the router has multiple internet facing interfaces or route tracking enabled, either of the interfaces may be the active interface. In that case, it is may be a good idea to source the traffic from a loopback interface or from the inside interface for which either this router or another device should provide translation if the ip address used is an RFC 1918 address space.
User-group is optional. Based on the policies setup on the tower, end users will be filtered and scanned for content.
Apply content-scan to the egress interface (required):
interface g0/2 content-scan out
One could use ACL, parameter-map type regex for whitelisting purpose
parameter-map type regex allowed-pattern pattern cisco pattern aol
You can exempt traffic from this internal subnet from being sent out to the towers. These IPs can browse freely without any restrictions.
ip access-list extended inside-nw permit ip 192.168.10.0 0.0.0.255 anycontent-scan whitelisting
whitelist header host regex allowed-pattern whitelist acl inside-nw
Isn't there a way to see what the FQDN is within a DNS request? I have seen some DNS requests to an unexpected external DNS server and I would like to find out what the FQDN was that it sent the request to but I can't seem to find any report or way to see...
Hello All Looking for some suggestion on below issue, We are currently experiencing issue with DNS registration over any connect VPN. Whenever a user connects to VPN, his local host is not getting dynamically registered on the DNS server. I beli...
Hi, I have been working on setting up VPN split tunnel with AnyConnect but cannot get it working. I want to allow users to print locally so wanted to exclude printing related traffic from the tunnel by creating an ACL and using "excludespecified" opt...
Hi all, The Cisco 2911-SEC/K9 router is configured for IPSec VPN but it looks like the maximum number of simultaneous VPN sessions possible is 9.Please advise whether this is related to the default number of sessions on the router which is 9. ro...
We've got some laptops we are exploring the idea of putting the Dell Wyse PC Converter 2.1 software on to deploy as a thin client laptop. However the issue I ran into is after installing the software AnyConnect works, except for since we for users to auto...