Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2267
Views
0
Helpful
9
Replies

High Availability on Cisco WSA and Policy migration

shafhuss
Level 1
Level 1

‎01-19-2019 02:02 AM

Hi Team,

 

Client has requested to bring high availability between two WSA's located one in DC and one in DR. DC and DR are having complete different IP Ranges.

DC:

dcproxy.example.com

Mgmt IP: 10.1.250.96

Data1 IP: 10.1.221.58

 

DR:

drproxy.example.com

Mgmt IP: 10.12.250.96

Data1 IP: 10.12.221.58

 

Second Query is that customer is planning to change from IP based access to user/AD Authenticated based access.

So how can i import all the polices from S670 to S690 WSA without changing network settings and change the Source IP to username?

 

What is reference guide to configure single sign on WSA.

Note: We have two WSA and one SMA in proxy infrastructure.

 

 

 

 

 

 

Labels:
0 Helpful
9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

‎01-19-2019 03:22 AM

Look at the high availability section : ( again how is the setup WSA, explicit or WCCP ) ?

 

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_0111.html

 

LDAP Authentication (look the section - 

How to Create an Active Directory Aut
hentication Realm (NTLMSSP and Basic) )

 

https://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa9-0/wsa9-2/WSA_9-2-0_UserGuide.pdf

 

SSO

 

https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117934-technote-csc-00.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

shafhuss
Level 1
Level 1
In response to balaji.bandi

‎01-19-2019 03:57 AM

using explicit

 

we have one SMA and one WSA in DC

one WSA in DR.

 

We will be managing both WSA from SMA.

However, we have only on WSA in each location working as standalone.

 

If HA can be achieved between DC and DR, happy to configure it. But we are having two different IP Ranges.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to shafhuss

‎01-19-2019 06:28 AM

How is WSA configuration in the network explicit or WCCP ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

shafhuss
Level 1
Level 1
In response to balaji.bandi

‎01-19-2019 06:30 AM

Its explicit

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to shafhuss

‎01-19-2019 07:11 AM

This required your  inputs for the  network topology how the users are connecting. how is your DR setup interms of connectivity on High level.

 

couple videos help you.

 

https://www.youtube.com/watch?v=Ltpue75zC1g

https://www.youtube.com/watch?v=duO6N9KJIPk

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

shafhuss
Level 1
Level 1
In response to balaji.bandi

‎01-21-2019 01:49 AM

Hi Team, 

 

Thankyou for the those video.

 

I was trying to integrate WSA with AD using (Kerberos, NTLMSSP or Basic Authentication). during which i was getting below error:

Failure: Error while joining WSA onto server <x.x.x.x>: Failed to join domain: failed to precreate account in ou=Computers, dc-xxx, dc=CO, dc=IN: Constraint violation:

Here the type of service account created was user not admin

 

Now when we changed the service account type from user to admin, xxxproxy1 account created and realm creation was successful.

 

Can you please confirm whether admin previleges are required to permanently or whether the same can be changed to user (since account is already created), 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to shafhuss

‎01-21-2019 09:09 AM

Domain joined rights required for you to get joined and also retrieve the information from AD, so user rights not good enough here.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Ken Stieers
VIP
VIP
In response to shafhuss

‎01-21-2019 09:28 AM

 

Now when we changed the service account type from user to admin, xxxproxy1 account created and realm creation was successful.

 

Can you please confirm whether admin previleges are required to permanently or whether the same can be changed to user (since account is already created), 

Once the WSA is joined to the domain, it uses its machine account to verify user identity, so whichever account joined it to the domain isn't used any longer. 

 

If you use an LDAP realm for basic auth or external administrative user logins, it does NOT have to be an admin, a normal user will work. 

0 Helpful

Ken Stieers
VIP
VIP

‎01-19-2019 05:11 AM

The HA feature on te WSA is sort of like Router HA, the WSA takes over the other boxes 'identity" . With them in different data centers this wont work.

SInce you can get licensing to match your WSAs for VMs for free, you could stand up a VM next to each hardware WSA, and WCCP will balance and failover the traffic for you.


0 Helpful
Customers Also Viewed These Support Documents
Top