This Video demonstrates the ability to reply to secured messages and including attachments.   Total Runing time 2:12   00:00 - 00:22 Intro 00:23 --00:57 How to reply 00:58 --01:50 Adding an attachment 01:51 --02:12 Closing   Orginal Author: Jacob Sales ... View more

This video describes common third party errors.   Total Run time 2:00 Minutes   00:00 - 00:29 -- Intro 00:30 - 00:46 -- Normal message example 00:47 - 01:09 -- Winmail.dat error 01:10 - 01:31 -- Can not create file error 01:32 - 01:50 -- Support Contact info 01:51 --2:00 -- Closing   Original Author: Jacob Sales   Copyright Cisco System LLC ... View more

With Juan Ramos Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn how to configure, troubleshoot, and optimize the Cisco Web Security Appliance (WSA) with Cisco technical support expert Juan Daniel Ramos. The Web Security Appliance easily extends web security to include Anti-Virus, Web Reputation, and Blacklists to reveal hidden security threats on the Internet. Juan Ramos is a senior engineer for the Cisco Web Content Security Team in Research Triangle Park, North Carolina. He has worked as a network security expert both as a customer support engineer and as a liaison between the Cisco Technical Assistance Center and the entities responsible for creating the products used in customer networks. His recent achievements include leading training sessions for new hires and covering web content security on a 24-hour basis during the 2012 London Olympics. Remember to use the rating system to let Juan know if you have received an adequate response to your technical support question.  Juan might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Security sub-community discussion forum shortly after the event.   This event lasts through December 7, 2012. Visit this support forum often to view responses to your questions and the questions of other Cisco Support Community members. Uncategorized URLs Many service requests are submitted to my team for web sites that do not fall into any predefined category on the Web Security Appliance (WSA). If you need to add your web site to our database, please consider the submission page found at: https://securityhub.cisco.com/web/submited_urls Select the tab entitled 'Lookup or Submit URLs' Enter the URL or URLs in separate lines in the text box Select the radio button entitlted 'ASync OS versions 7.5 and newer, including mixed environments' Press the LOOKUP button If the site does not fall into any particular URL category, select the domain using the checkbox, and select the best category for it under the 'Choose V2 Category' pulldown menu. Hit the Submit key and this creates a request to my Web Categories team to integrate this request to our database. You can also use this page to check the status of your submission after 24 hours. NOTE: The WSA no longer supports the feature entitled 'IronPort URL Filter'; we have since transitioned to the Web Usage Controls feature. Hi Juan, What tips do you have for creating packet captures? I am interesting in knowing how to do this. Thanks a lot, - Lisa Thanks for your question Lisa, If you are logged into the WSA Graphical User Interface, in the upper right hand corner you will see the menu for Support and Help mouse over that section and there will be an option for Packet Capture You will need to select the Edit Settings button to customize the type of capture you will take. I typically select the radio button to run the capture until we reach the 200 MB max file size. I select the M1 interface and [if applicable] the P1/P2 interfaces for capture. T1/T2 interfaces are only selected when I want to troubleshoot Cisco Layer 4 Traffic Monitor issues. I then select the Custom Filter option and define my capture settings. If you are familiar with tcpdump on UNIX then you will feel comfortable with the parameters needed to isolate traffic. I usually set up capture filters in this format host EnterClientIP or host EnterDestinationIP or udp port 53 Here is an example of a real capture filter: ------------------------------------------ host 10.1.1.1 or host 192.168.2.1 or host 172.16.4.4 or udp port 53 ------------------------------------------ In  the above filter, I am isolating any traffic to or from three IP  addresses and include any UDP traffic on port 53 (typically reserved for  DNS). Submit and commit changes before starting the capture. The capture is saved in .pcap format and is easily read with free programs such as WireShark (www.wireshark.org). Packet captures help me all the time to isolate issues between the client-proxy and proxy-Internet sockets.  With this information, I can then determine the source of customer symptoms such as Gateway Timeouts HTML Redirects failing Partially loading web pages DNS failures on the proxy I  always run a simulatenous capture with Wireshark running on the client  machine I am testing from to add more depth to my network  troubleshooting. Thanks, Juan Hello Juan, I am trying to copy an XML file from one appliance to another properly, and I can't find the proper way to do it? can you describe how to do this? Thanks, Jorge Hi Jorge When I first imported an IronPort export, I created 2 identical IronPorts, name and IP included.  So the 2nd time I ran the export, I opened it up in a txt editor, and changed any information specific to the proxy.  E.g. server name, IP address.  Hope that helps until Juan can help. Cheers Patrick Thanks for your question Jorge, My first thought would be how the configuration was backed up. If you save the configuration with the standard settings, it will save a configuration with the passwords masked which makes it unable to transfer to a replacement appliance. Instead, I prefer to navigate to: GUI -> System Administration ->   Configuration File ->    Download file to local computer to view or save Be sure to unmask passwords by unselecting the checkbox to make sure the saved file can be imported without error. If you mask passwords, it will replace the password and certificate sections with ***** and the import will fail with this message ------------------------------------------ Error     —     Configuration File was not loaded. File did not contain passwords. ------------------------------------------ The filename will look something like S660-Serial-Number-Date-Time.xml when complete ===========VERSIONS MUST MATCH=============================== Like Patrick noted earlier, the XML file is really plain text so you can open and read the file contents. In my sample file, the contents include this section ------------------------------------------   Product: IronPort S660 Web Security Appliance   Model Number: S660   Version: 6.3.3-015 ------------------------------------------ The version of the backup file must match the version of the appliance you are importing this file to. In this example, if my first WSA is running 6.3.3-015, the second WSA must also run 6.3.3-015. Otherwise, some key configuration elmements may be lost and/or an error may occur. =====HARDWARE DIFFERENCES MAY REQUIRE SOME TWEAKING===== The Sx50 and Sx60 appliances were made with an additional port called M2 which was not used. The M2 interface is still referenced in the port_interface and ethernet_interface sections of the file. With this in mind, the Sx70 appliances [which do not have this interface] will produce import errors. One can simply remove the XML sections pertaining to the M2 interface (in those two sections) and the file should import without error. =====HARDWARE REPLACEMENT vs. COPY CONFIG===== If you are replacing one WSA for another or cloning the configuration to another network, the file should import without any modifications. If you are, however, adding another WSA to your existing network and want to copy the configuration then there are some tweaks needed. Step 1 - import the file and it should state that the import was successful Step 2 - DO NOT COMMIT THE CHANGES - Step 3 - Navigate to the Network --> Interfaces page and change the Layer 3 information and Fully Qualified Domain Name Step 4 - Navigate to the Network --> Transparent Redirection page and confirm that no adjustments are necessary Step 5 - Navigate to the Network --> Routes page and confirm that no adjustments are necessary Step 6 - Navigate to the Network --> Authentication page and change the Redirect Hostname Step 7 - Navigate to the Network --> DNS page and confirm that no adjustments are necessary Step 8 - Navigate to the Security Services --> HTTPS Proxy page and confirm that no adjustments are necessary for the certificate section Step 9 - Check the rest of the configuration to confirm all is well Step 10 - Commit Changes Step 11 - Save the file as this will be your new master configuration for this appliance =====WORST CASE SCENARIO===== There are rare cases when the configuration file errors with a message similar to: ------------------------------------------ Parse Error on element "euq_db_total_size" line number 1111 column 26 with value "153600": ISQ database size must be an integer from 0 to 143360 MB. ------------------------------------------ Errors like this may occur on customized configurations where the saved value exceeds the acceptable range defined by the import engine. If you open the file and navigate to line number 1111, you can try saving a copy of the configuration file with that line of configuration removed at your own risk. If the WSA does not find an entry in the configuration file you are importing, it will retain the previous (or default) setting for that configuration. =====FINAL THOUGHTS===== TAC engineers typically do not troubleshoot configuration files for customers because there are so many variables that can lead to a corrupt file. The M-Series appliances are specifically designed to push configuration changes to multiple WSA proxies so we trust these devices a lot more to make sure it is done right. I hope this helps, Juan Thanks for your prompt response, Juan. I appreciate it.  I wonder how I can optimize the proxy performance. Do you have any tips or documentation for this? - Lisa No worries Lisa, Every deployment is different so I can only offer some things to consider. Not every tip here will apply to your configuration. ---------From the GUI------------------ Network --> DNS consider adding another DNS server address like 8.8.8.8 (GOOGLE) as a priority 2.  If you have any sites that fail to resolve using your local DNS servers, the GOOGLE server may resolve the site's new IP address and proceed with the connection.  This typically helps for sites that frequently change their IP addresses like those that are Akamai load-balanced. Network --> Authentication   --> Edit Global Settings    --> confirm redirect hostname is not a Fully Qualified domain name This is an often overlooked setting as the authentication redirection HTTP 401 or 407 response will include a link similar to http://ironport-hostname/BD00001blah/www.cisco.com It is imperative to your performance that the redirect hostname is just the hostname of the interface handling authentication and that your clients can resolve this hostname. ---------From the command line------------------ rangerequestdownload this command will enable support for client browsers that request a web resource like a video or file in sections (ex. first 900 bytes, then another 900 bytes, etc.).  Specifically, the HTML GET request will include a header called Ranges: and will specify ranges such as 0-900 The WSA produces a warning for this command because the scanning engine expects to scan a file in its entirety before confirming that it is clean.  If the file is split into different requests, there is the rare potential that a threat can be let through. Consider this if you believe your Host based anti-virus is up to date and ready to block any infected attachments. etherconfig --> media   confirm that the interfaces are set to <1000baseTX full-duplex>.  The M1 and P1/P2 interfaces are set to Autoselect by default but if the output shows FastEthernet or half-duplex, then we need to inspect the switchport or network cable. I believe autonegotiation is a requirement for using 1000BASE-T to use all four twisted wire pairs. etherconfig --> mtu   consider lowering the MTU size under the default 1500 bytes (possibly between 1460-1480).  If you have transparent redirection enabled with WCCP, there is some additional overhead added to create frames that are about 1514 bytes.  In my experience, there are some non-Cisco network devices that have trouble with these jumbo frames due to the Do Not Fragment bit set.  End-users experience latency and the interfaces may records discarded frames. advancedproxyconfig --> MISCELLANEOUS   --> look for the option "Would you like proxy to perform dynamic adjustment of TCP receive window size?"    and set the option to N In some rare cases, the WSA-Internet socket has a much faster data rate than the client-WSA socket.  This can sometimes lead to poor performance due to TCP retransmissions and lost frames inside the packet capture.  This setting change will shift the responsibility of managing the TCP sliding window to the client thereby forcing a more stable connection. ---------Baseline Now...Baseline Often------------------ As your network grows and users shift from text based web browsing to video, you will need to test data rates across each LAN segment or functional organization within your company. These baseline packet captures and speed tests can help you forecast networking budgets needs in the future to keep your end-users happy. I really do not recommend speed test web sites because they use non-standard methods like opening up 20 requests for the same non-object. Instead, please consider these file download links: http://tools.cisco.com/squish/3BC54 - downloads a 32 MB QuickTime installer file and http://tools.cisco.com/squish/F77B4 - downloads a 266 MB Microsoft installer file I use the QuickTime most often since both Microsoft and Apple have good bandwidth and if your network is slow then these files will definitely show it. The WSA does introduce a negligible delay, but typically the root cause of latency is seen from the addition or configuration change of a network device within the topology. Thanks, Juan System administration --> Log Subscriptions   --> accesslogs under the Custom Fields section add %u to include the user agent string from now on.  It will come in handy when you see GET requests to odd sites NOT coming from the end-user from their web browser.  Applications such as Adobe Acrobat Updater, Trend Micro Antivirus, Java, and Microsoft Network Connectivity Status Indicator (NCSI) will make web requests but do not know how to authenticate and fail. The user agent string will help identify these issues. Hello Juan, I am tryng to troubleshoot a TCP packet issue. I would like to see the TCP handshake messages in the WSA, but I can't.  Why doesn't my WSA packet capture show the full TCP handshake and other client sourced packets? Thank you. - John Thanks for your question John, I assume that your packet capture has a filter applied and that your deployment is Transparent (most likely via WCCP on an ASA firewall). If this is the case, then your packet capture would only show SYN+ACK instead of the full three-way handshake. This is per design because the traffic sourcing from the client is technically not coming from the M1/P1/P2 interfaces. When you have WCCP transparent redirection, the proxy creates a Service ID which must also be configured on the ASA firewall (for example) for WCCP. My best analogy would be like walkie-talkies needing to be on the same frequency/channel to communicate with your peer. With this in mind, a secure tunnel is created between the two and traffic coming out of the tunnel is encrypted. This encryption prevents the proxy from including this in a filtered capture because a tunnel interface is created and it is not selectable in the Packet Capture page. ---------Workaround--------- If you are able to capture within a few seconds to reproduce this issue, you may wish to consider applying NO FILTER to the capture and saving/running it. This will include the tunnel interface which will then show the full TCP handshake. The only problem this creates is that you will then have to filter the capture to isolate the traffic created just by your test machine and saving the trimmed capture in a new file.  With Wireshark, you can find instructional videos online or the Wireshark user guide to best filter traffic. Hope this helps, Juan This document was generated from the following discussion: Ask the Expert: Best Practices for Configuring the Cisco Web Security Appliance (WSA) ... View more

This video explains the process of replacing a Cisco Email Security appliance that is part of a centralized management cluster.   Original Authors: Donny Lee (APAC) Jerry Orona (SB-US) ... View more

Hi Valter, This is a test thread that demonstrates how a user can open a ticket from the forums. ... View more

Description:How to manage and configure a web filtering policy   Run time:10:16   00:00--01:39 Overview, description 01:40--02:06 Examples, filter creation 02:07--02:43 Catigories 02:44--02:55 Filter Creation detailed. 02:55--05:39 Domains/URLS 05:40--06:06 Content types. 06:07--06:24 File types 06:25--07:10 Exceptions 07:11--08:24 Rule creation 08:25--09:00 Groups 09:01--09:18 Scheduling 09:19--10:04 Applying 10:05--10:16 Closing ... View more

Description: Cisco Cloud Web Security Portal Overview.   Run time: 9:17   00:00--02:14 Overview 02:15--04:21 Overview specifics and common settings. 04:22--08:08 Overview of interface and basic use. 08:09--09:09 Working with accounts. 09:10--09:17 Closing ... View more

Description: How to configure passive identity managment (PIM)   Run time:8:20   00:00--01:57 Overview and Prerequisites 01:58--02:55 Overview of PIM Configuration continued. 02:56--07:34 Example demo of configuring PIM 07:35--08:14 Testing the configuration. 08:15--09:20 Closing ... View more

Description: Cloud Web Security, How to configure a PAC (Proxy Auto Configuration) File.   Run time:14:55   00:00--01:10 Overview, what is a PAC file;What is JavaScript and using script editors. 01:11--03:36 Overview of important JavaScript concepts and Conventions. 03:37--08:18 JavaScript Functions used in a PAC file. 08:19--08:37 Overview of the "IF" statement. 08:38--14:39 Detailed description of PAC file internals. 14:40--14:55 Closing ... View more

Description: Cisco Cloud Web Security, How to find the NetBIOS domain name.   Run time: 2:34   00:00-01:00 Overview , Explanation of NetBIOS domain names 01:00--01:17 Description of Method 1 to determine NetBIOS domain name. 01:18--01:32 Description of Method 2 to determine NetBIOS domain name. 01:33--02:05 Example of Method 1 02:06--02:30 Example of Method 2 02:31--02:34 Closing ... View more

Description: Cisco Cloud Web Security, How to host a PAC file in the cloud.     Run time:7:52   00:00--01:51 Overview and Description. 01:52--04:13 Overview, configuration examples 04:14--06:10 Testing, configuration and examples of loading PAC file. 06:11--07:44 Testing uploaded PAC file. 07:45-07:52 Closing ... View more