cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

IOS: Scansafe Step by Step Configuration

8403
Views
0
Helpful
12
Comments

 

Goal:

To be able to configure an ISR for content-scan so HTTP and HTTPS requests will be sent out to the scansafe towers and depending on the response received, users will either be allowed or denied loading the sites.

Documentation:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps6538/ps6540/data_sheet_c78-655324.html

Prerequisite:

ISR should be running a minimum code version 15.2(1)T1 or above.

Available in IOS (universal) images with security feature set (SEC) license.

Platform Supported:

800, 1900, 2900 and 3900 series ISRs

Platforms NOT Supported:

G1's 18xx, 28xx, 38xx

Limitation:

The maximum number of sessions that can be handled is 32K, irrespective of platform.
 

Step by Step:

Configure the parameter-map (required):

parameter-map type content-scan global
  server scansafe primary ipv4 80.254.146.211 port http 8080 https 8080
  server scansafe secondary ipv4 80.254.145.147 port http 8080 https 8080   
  license 0 <license key>
  user-group ciscogroup username ciscouser 
  source interface g0/0

The license key here is actually called an authentication key that you get for your site (one per company) from scan safe. Depending on the geographical location of the sites, scansafe provides the tower IP addresses. One is the primary and the other is the secondary tower. When one goes down the other one automatically takes over.

In this case the router when proxying the HTTP and HTTPS requests to scansafe towers, it will use the g0/0 interface IP for the source of those packets.

If the router has multiple internet facing interfaces or route tracking enabled, either of the interfaces may be the active interface. In that case, it is may be a good idea to source the traffic from a loopback interface or from the inside interface for which either this router or another device should provide translation if the ip address used is an RFC 1918 address space.

User-group is optional. Based on the policies setup on the tower, end users will be filtered and scanned for content.

Apply content-scan to the egress interface (required): 

interface g0/2
 content-scan out

Whitelisting (optional):

One could use ACL, parameter-map type regex for whitelisting purpose

parameter-map type regex allowed-pattern
 pattern cisco
 pattern aol

You can exempt traffic from this internal subnet from being sent out to the towers. These IPs can browse freely without any restrictions.

ip access-list extended inside-nw
 permit ip 192.168.10.0 0.0.0.255 any

content-scan whitelisting
 whitelist notify-tower
 whitelist header host regex allowed-pattern
 whitelist acl inside-nw

Show commands:

Verify the scansafe towers:

kusankar-881#sh content sum
Primary: 70.39.231.19 (Up)*
Secondary: 80.254.156.99 (Up)
Interfaces:

The "*" next to the IP address shows that the 70.39.231.19 primary tower and the 80.254.156.99 is the secondary tower.

Quick Statistics:

kusankar-881#sh content-scan statistics           
Current HTTP sessions: 28
Current HTTPS sessions: 1
Total HTTP sessions: 51540
Total HTTPS sessions: 358
White-listed sessions: 12150
Time of last reset: never

Checking active connections:

kusankar-881#sh content-scan session active 
Protocol      Source        Destination     Bytes             Time
HTTP 172.16.1.4:2361 205.188.60.65:80 (6649:1565) 00:00:47
    URI: b.aol.com

    Username/usergroup(s): / 
HTTP 172.16.1.4:2377 72.14.204.120:80 (436:346) 00:00:11
    URI: ssl.gstatic.com

    Username/usergroup(s): / 
HTTP 172.16.1.4:2378 74.125.113.106:80 (1389:355) 00:00:11
    URI: www.google.com

    Username/usergroup(s): / 
HTTP 172.16.1.4:2379 74.125.113.106:80 (1393:355) 00:00:11
    URI: www.google.com

Debugs:

debug content-scan events
debug ontent-scan packet path
debug content-scan errors
debug l4f packet all

 

Comments
Community Member

Hi

 

 

 

Cisco Employee

Marco,

CWS proxies will accept HTTP and HTTPS traffic that is requested via the following TCP ports:

  • HTTP traffic is only allowed on ports 80, 81, 70, 84, 210, 280, 488, 591, 777, and 1025-65535
  • HTTPS traffic is only allowed on ports 443, 444, 563, 4005, and 8443

Any traffic requested on any other ports will be rejected.

That said you could use an ACL for whitelisting and include these ports in that ACL with a specific source and/or destination and that traffic will be whitelisted and not be sent to the towers for inspection.

-Kureli

Hi

How active a license renewal?


when I apply the following command sh content-scan summary 


Shows me 

Primary: 80.254.146.211 (Down)
Secondary: 80.254.145.147 (Down)

How i select the right tower IP addresses??


Thank you 

Regards 

Cisco Employee

Helios,

Did you reach out to your local Cisco account team? Did they provision your ISR G2 for CWS? Did they provide you with tower IP addresses? Is your source interface a valid "up up" interface that can reach the internet to poll the towers to make sure they are up? Does the license key on the scan center portal side match with what you configured on the CLI of the ISR?

Pls. watch my recent webcast on this topic here:

https://supportforums.cisco.com/video/12263471/integrating-cisco-cloud-security-isr-video-live-webcast

 

-Kureli

Cisco Employee

You mean still http traffic by riding on some other port besides port 80 and 443? Yes, configure that on the optional whitelist ACL.

https://supportforums.cisco.com/comment/9858526#Whitelisting_optional:

 

-Kureli

Kureli, Thank you very much for your answer, now I have opened a case with Cisco TAC, the problem is in the permissions to the towers.

Helios

Cisco Employee

Great and that has to do with the license key.  This has to match both on the portal side and on the router side.  Glad to hear it is resolved.

-Kureli

Beginner

Kureli, this is fantastic solution and one which I want to utilize across our 200 or so sites. With the age of tablets and smartphones all capable of utilizing an office bandwidth how do I authenticate those, given I don't expect them to be on our domains. so in other words, ANYONE in an office, be in a local user, visitor or mobile device I want to use this solution no matter if they can authenticate or not - across any browser. is this possible?

Cisco Employee

NOTE: Transparent NTLM authentication works mainly on Windows. Users must be logged into the same domain as that configured on the ISR-G2. Transparent NTLM Authentication may not work for the smart devices such as (Android-based phones, iPhone’s, iPADs, and so on.)

iOS & Safari do support NTLM authentication, but they do not support Transparent NTLM Authentication. However, if a user enters the username & password for the first time in an iPAD, it will cache that user/password information and use that for any subsequent requests. The user is not prompted for the authentication unless the user manually clears the browser cache. After the first authentication, the user experience will be similar to NTLM Transparent authentication. This is tested with Apple – iPAD2 - iOS 5.1.1 using a Safari browser.

 

Read FAQ here:https://supportforums.cisco.com/document/12110031/cisco-cloud-web-security-cws-isr-g2-faq#How_do_we_bypass_user_authenticationexceptions_NTLMBasicWebauth

 

Watch my webcast here: https://supportforums.cisco.com/video/12263471/integrating-cisco-cloud-security-isr-video-live-webcast

 

-Kureli

Beginner

Hi Poonguzhail,

can we do the inverse in whitelist ACL , ie :specify only the traffic to be allowed to the towers?

specially when we long list of sources to be exempted

 

Thanks

Cisco Employee

Ramalingam,

In the whitelist ACL add denies and then do a permit any any.  This will deny the flows that do need to go to the towers and exempt everything else.

Use the ACL to your advantage.

-Kureli

Community Member

Hi,

 

my cuatomer has just subscribed the Microsoft 365 suite and Microsoft recommends to bypass the proxy.

Question: Is there any recomended configuration from Cisco adaptable to bypass easily the towers for this Microsoft suite?

I know that the paramenter map type regex does not work with https and I have to use a normal ACL to bypass this traffic.

thanks

Marco