Re: High Availability on Cisco WSA and Policy migration

shafhuss · ‎01-19-2019

Hi Team,

Client has requested to bring high availability between two WSA's located one in DC and one in DR. DC and DR are having complete different IP Ranges.

DC:

dcproxy.example.com

Mgmt IP: 10.1.250.96

Data1 IP: 10.1.221.58

DR:

drproxy.example.com

Mgmt IP: 10.12.250.96

Data1 IP: 10.12.221.58

Second Query is that customer is planning to change from IP based access to user/AD Authenticated based access.

So how can i import all the polices from S670 to S690 WSA without changing network settings and change the Source IP to username?

What is reference guide to configure single sign on WSA.

Note: We have two WSA and one SMA in proxy infrastructure.

balaji.bandi · ‎01-19-2019

Look at the high availability section : ( again how is the setup WSA, explicit or WCCP ) ?

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_0111.html

LDAP Authentication (look the section -

How to Create an Active Directory Aut

hentication Realm (NTLMSSP and Basic) )

https://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa9-0/wsa9-2/WSA_9-2-0_UserGuide.pdf

SSO

https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117934-technote-csc-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

shafhuss · ‎01-19-2019

using explicit

we have one SMA and one WSA in DC

one WSA in DR.

We will be managing both WSA from SMA.

However, we have only on WSA in each location working as standalone.

If HA can be achieved between DC and DR, happy to configure it. But we are having two different IP Ranges.

balaji.bandi · ‎01-19-2019

How is WSA configuration in the network explicit or WCCP ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

shafhuss · ‎01-19-2019

Its explicit

balaji.bandi · ‎01-19-2019

This required your inputs for the network topology how the users are connecting. how is your DR setup interms of connectivity on High level.

couple videos help you.

https://www.youtube.com/watch?v=Ltpue75zC1g

https://www.youtube.com/watch?v=duO6N9KJIPk

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

shafhuss · ‎01-21-2019

Hi Team,

Thankyou for the those video.

I was trying to integrate WSA with AD using (Kerberos, NTLMSSP or Basic Authentication). during which i was getting below error:

Failure: Error while joining WSA onto server <x.x.x.x>: Failed to join domain: failed to precreate account in ou=Computers, dc-xxx, dc=CO, dc=IN: Constraint violation:

Here the type of service account created was user not admin

Now when we changed the service account type from user to admin, xxxproxy1 account created and realm creation was successful.

Can you please confirm whether admin previleges are required to permanently or whether the same can be changed to user (since account is already created),

balaji.bandi · ‎01-21-2019

Domain joined rights required for you to get joined and also retrieve the information from AD, so user rights not good enough here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ken Stieers · ‎01-21-2019

Now when we changed the service account type from user to admin, xxxproxy1 account created and realm creation was successful.

Can you please confirm whether admin previleges are required to permanently or whether the same can be changed to user (since account is already created),

Once the WSA is joined to the domain, it uses its machine account to verify user identity, so whichever account joined it to the domain isn't used any longer.

If you use an LDAP realm for basic auth or external administrative user logins, it does NOT have to be an admin, a normal user will work.

Ken Stieers · ‎01-19-2019

The HA feature on te WSA is sort of like Router HA, the WSA takes over the other boxes 'identity" . With them in different data centers this wont work.

SInce you can get licensing to match your WSAs for VMs for free, you could stand up a VM next to each hardware WSA, and WCCP will balance and failover the traffic for you.