To be able to configure an ISR for content-scan so HTTP and HTTPS requests will be sent out to the scansafe towers and depending on the response received, users will either be allowed or denied loading the sites.
ISR should be running a minimum code version 15.2(1)T1 or above.
Available in IOS (universal) images with security feature set (SEC) license.
800, 1900, 2900 and 3900 series ISRs
Platforms NOT Supported:
G1's 18xx, 28xx, 38xx
The maximum number of sessions that can be handled is 32K, irrespective of platform.
Step by Step:
Configure the parameter-map (required):
parameter-map type content-scan global
server scansafe primary ipv4 188.8.131.52 port http 8080 https 8080
server scansafe secondary ipv4 184.108.40.206 port http 8080 https 8080 license 0 <license key> user-group ciscogroup username ciscouser source interface g0/0
The license key here is actually called an authentication key that you get for your site (one per company) from scan safe. Depending on the geographical location of the sites, scansafe provides the tower IP addresses. One is the primary and the other is the secondary tower. When one goes down the other one automatically takes over.
In this case the router when proxying the HTTP and HTTPS requests to scansafe towers, it will use the g0/0 interface IP for the source of those packets.
If the router has multiple internet facing interfaces or route tracking enabled, either of the interfaces may be the active interface. In that case, it is may be a good idea to source the traffic from a loopback interface or from the inside interface for which either this router or another device should provide translation if the ip address used is an RFC 1918 address space.
User-group is optional. Based on the policies setup on the tower, end users will be filtered and scanned for content.
Apply content-scan to the egress interface (required):
interface g0/2 content-scan out
One could use ACL, parameter-map type regex for whitelisting purpose
parameter-map type regex allowed-pattern pattern cisco pattern aol
You can exempt traffic from this internal subnet from being sent out to the towers. These IPs can browse freely without any restrictions.
ip access-list extended inside-nw permit ip 192.168.10.0 0.0.0.255 anycontent-scan whitelisting
whitelist header host regex allowed-pattern whitelist acl inside-nw
Hi All, What will be the service impact if Sponsor Certificate expired. Im using Guest, BYOD and Posture services.My Apex and plus license is expired 90 days back still will i get self signed(CSR) from ISE or first i need to get the licences renewed ...
Hi All, Can someone please help with the difference between signed and CA certificate to be used in cisco ISE. I think for all the nodes in the deployment must have admin ,EAP authentication certificate for replication and radius auth...
We have a WSA environment with SMA WSA s170 running on 10.1.0-204 SMA running on 10.1.0-037 I am looking for the recommended releases if I go by document there are various options and upgrade path is required. Can we u...
I would like to use an endpoint custom attribute to trigger the network access a device has. So as an example if I have a device that has a endpoint custom attribute of Display, I would like to use that as a condition to assign a specific DACL or vl...
Sehr geehrte Damen und Herren, Ich habe mir den Laptop meines Vaters ausgeliehen und habe mich in meinen Premiumaccount eingeloggt. Jetzt kann mein Vater wenn er eine Email Einladung bekommt und auf Meeting beitreten drückt und dann mit Ap...