This document is a deployment guide for Cisco and Microsoft engineers, partners, and customers who want to run Cisco’s Secure Web Appliance (WSA) with an Azure Stack Hub.
Product Description
Cisco Secure Web Appliance (WSA) is an all-in-one, highly secure on-premise and public cloud web gateway that offers broad protection, extensive controls, and investment value. It provides an array of competitive web security deployment options, each of which includes Cisco’s market-leading global threat intelligence infrastructure. WSA uses an integrated approach to help disparate security point solutions, triangulate information for faster identification, and effectively mitigate and remediate threats.
Azure Stack Hub extends Azure by providing a way to run applications in an on-premises environment and deliver Azure services within the datacenter. Organizations are increasingly moving towards the public cloud. However, certain workloads remain on-premise due to business requirements, technological limitations and regulations. Azure Stack Hub provides a hybrid cloud approach to manage all applications and workloads.
Cisco Secure Web Appliance (WSA) and the Azure Stack Hub provide a comprehensive, easy-to-deploy solution that helps organizations efficiently monitor and control web traffic from leaving the Azure Stack Hub. The solution enforces policies to assure protection, whether using HTTP/HTTPS, File Transfer Protocol (FTP), or Secure Sockets Layer (SSL) for data transfer over the Web.

WSA Configuration Setup:
- Run the WSA System Setup Wizard before configuring WSA policies and rules.
- Deployment options for Cisco Secure Web Appliance are explicit forward mode or transparent mode.
- Cisco recommends configuring high availability for redundancy purposes. Refer to the User Guide for further information.
- Configure Custom URL Categories for Azure Stack Hub services.
- Configure Pass-Through and Allow action for Custom URL categories under Decryption and Access Policy, respectively.
Configure the Cisco Secure Web Appliance to allow traffic generated from the Azure stack hub:
Step 1: Deploy and install Cisco Secure Web Appliance. Refer to WSA Install Guides:
Step 2: Run the System Setup Wizard to complete the WSA initial network-level configuration and to initialise the proxy service.
- Navigate to System Administration > System Setup Wizard to start the configuration wizard.
- After System Setup Wizard configuration, verify the Proxy settings WSA UI > Security Service > Proxy Service
Step 3: Enable HTTPS Proxy

Step 4: Configure Custom URL Categories
- Add a Custom Category name “Identity” and add the URLs and Regex listed below:
URL List:
.graph.chinacloudapi.cn
.graph.cloudapi.de
.graph.windows.net
.login.chinacloudapi.cn
.login.microsoftonline.com
.login.microsoftonline.de
.login.microsoftonline.us
.login.windows.net
.management.azure.com
.management.core.windows.net
.msauth.net
.msftauth.net
.msocdn.com
.office.com
.secure.aadcdn.microsoftonline-p.com
Regex list:
https://secure.aadcdn.microsoftonline-p.com
www.office.com
https://login.microsoftonline.us/
https://graph.windows.net/*
https://login.chinacloudapi.cn/
https://graph.chinacloudapi.cn/
https://login.microsoftonline.de/
https://graph.cloudapi.de/
https://management.azure.com
https://management.core.windows.net
https://*.msftauth.net
https://*.msauth.net
https://*.msocdn.com
- Add a Custom Category name “Marketplace Syndication” and add the URLs and Regex listed below:
URL List:
.azureedge.net
.blob.core.usgovcloudapi.net
.blob.core.windows.net
.management.azure.com
.management.usgovcloudapi.net
Regex list:
https://management.azure.com
https://management.usgovcloudapi.net/
https://*.blob.core.windows.net
https://*.azureedge.net
https://aka.ms/*
https://feedback.azure.com/*
https://windowsazure.uservoice.com/*
https://go.microsoft.com/*
https://azure.microsoft.com/*
- Add a Custom Category name “PatchUpdate” and add the URLs and Regex listed below:
URL List:
.azureedge.net
Regex List:
https://aka.ms/azurestackautomaticupdate
https://*.azureedge.net
http://go.microsoft.com/*
- Add a Custom Category name “Registration” and add the URLs and Regex listed below:
URL List:
.login.microsoftonline.com
.management.azure.com
.management.chinacloudapi.cn
.management.usgovcloudapi.net
Regex List:
https://management.azure.com
https://management.usgovcloudapi.net/
https://management.chinacloudapi.cn
https://login.microsoftonline.com/*
- Add a Custom Category name “Usage” and add the URLs and Regex listed below:
URL List:
.trafficmanager.cn
.trafficmanager.net
.usgovtrafficmanager.net
Regex List:
https://*.trafficmanager.net
https://*.usgovtrafficmanager.net
https://*.trafficmanager.cn
- Add a Custom Category name “Window Defender” and add the URLs and Regex listed below:
URL List:
.download.microsoft.com
.secure.aadcdn.microsoftonline-p.com
.update.microsoft.com
.wd.microsoft.com
.wdcp.microsoft.com
.wdcpalt.microsoft.com
Regex List:
https://secure.aadcdn.microsoftonline-p.com
- Add a Custom Category name “CRL” and add the URLs and Regex listed below:
URL List:
.ctldl.windowsupdate.com
Regex List:
http://crl.microsoft.com/pki/crl/products
http://mscrl.microsoft.com/pki/mscorp
http://www.microsoft.com/pki/certs
http://www.microsoft.com/pki/mscorp
http://www.microsoft.com/pkiops/crl
http://www.microsoft.com/pkiops/certs
http://ctldl.windowsupdate.com/*
- Add a Custom Category name “Diagnostic Log Collection” and add the URLs and Regex listed below:
URL List:
https://azsdiagppelocalwestus02.blob.core.windows.net
https://azsdiagppewestusfrontend.westus.cloudapp.azure.com
https://azsdiagprdwestusfrontend.westus.cloudapp.azure.com
Regex List:
- Add a Custom Category name “portal” and add the URLs and Regex listed below:
URL List:
portal.3171r02a.azcatcpec.com
Regex List:
https://docs.microsoft.com/*
After configuring the custom URL categories in the previous steps, the categories list should look like this:

Cisco recommends creating separate custom URL categories to identify the traffic type, and it later helps with troubleshooting. Refer to the Microsoft documentation for reference purposes or in case the URLs change.
Step 5: Create a new Decryption Policy or edit an existing decryption policy and set the action to Pass Through for the custom categories configured in Step 4.
- Navigate to UI > Web Security Manager > Decryption Policies and click on the URL Filtering column.


Step 6: Create a new Access Policy or modify an existing access policy to Allow the custom categories created in Step 4.
- Navigate to UI > Web Security Manager > Access Policy and click on the URL Filtering column.
Refer to the Cisco Secure Web Appliance Best Practice Guide for further configuration guidance.