Hi Handy,

ymadheka · ‎10-12-2016

Hi Team,

We are working on a requirement of proxy wherein the customer has floated requirements which we need to comply with as mentioned here:

Blocking of single login in multiple device.

"Compatibility and Filtering for any device (on Company assets only) like Laptop computers (Windows & Mac), Apple iPhone/iPad, RIM Blackberry, Any Smartphone devices.

Real-time detection of phishing, botnets, vulnerability exploits.

Port wise website blocking/Allow.

If any Policy is modified by admin change notification should go to Manager for Approval.

Thanks & Regards,

Yogesh Madhekar

Handy Putra · ‎10-12-2016

Hi,

- Blocking of single login in multiple device.

Can you verify the above requirement further

- "Compatibility and Filtering for any device (on Company assets only) like Laptop computers (Windows & Mac), Apple iPhone/iPad, RIM Blackberry, Any Smartphone devices.

You can do this by identifying the traffic using User Agent therefore you can apply certain action or policy when the traffic from Windows & Mac), Apple iPhone/iPad, RIM Blackberry, Any Smartphone devices.

- Real-time detection of phishing, botnets, vulnerability exploits.

Those threats should be picked up by the appliance scanning engines such as WBRS, Webroot, Sophos or McAfee

- Port wise website blocking/Allow.

You can configure this from the Access Policies under the "Protocols and User Agents" and put the port under HTTP CONNECT port if you want to allow that port, if not it will automatically block (WSA only listening to 80/443 and FTP)

- If any Policy is modified by admin change notification should go to Manager for Approval.

I believe WSA does not have this option. There could be already a feature request open for this.

ymadheka · ‎10-13-2016

Hi Handy,

Thanks for the reply.

Regarding the first point the customer has stated that the intention is to have the users login with their user id in only one of the devices at any point of time. Once the users are logged in they shouldn't be able to login using the same credentials from any other devices.

It is more like a NAC feature it seems but still appreciate any inputs on this.

Thanks & Regards,

Yogesh Madhekar

Ken Stieers · ‎10-13-2016

WSA wont do this... and if you're using more than one(HA, load balanced or wccp), has no mechanism to make sure the other WSA's know who logged in from where.

ymadheka · ‎10-18-2016

Hi Ken,

That means we can't restrict the user login to one single device and prevent them same credentials to be used on their other devices. It is a very handy feature for restricting the user to a single device use with WSA.

Is there any feature or enhancement request for the same?

Thanks & Regards,

Yogesh Madhekar

Ken Stieers · ‎10-19-2016

You, being a Cisco employee, would have better visibility to that than I do...

kussriva · ‎10-20-2016

Hi Yogesh,

In the WSA if you go to Network->Authentication, you would get the option for "User Session Restrictions"(Prohibit an authenticated user from accessing the Internet from a different IP addresses). You can check the box to limit user access to multiple machines.

Thanks & Regards,

Kushagra Srivastava
Cisco PDI-TA

ymadheka · ‎10-20-2016

Hi Kushagra,

Thanks for the revert, have informed the same to the customer. Will update the discussion for any deviations for the same in customer response.

Thanks & Regards,

Yogesh Madhekar

Supported features or not