You are on page 1of 24

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

Published: September 23, 2011 Revised: March 09, 2012

This document contains the following information:


Overview, page 2 Understanding How Cisco ISR Web Security with Cisco ScanSafe Works, page 4 Supported Architectures, page 7 Configuring Cisco ISR Web Security with Cisco ScanSafe, page 8 Related CLI Commands, page 18 Logging, page 19 Sample ISR Configuration, page 20 Additional Documentation, page 23 Contacting Support, page 24

Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Overview

Overview
The Cisco Integrated Services Router G2 (ISR G2) Family delivers numerous security services, including firewall, intrusion prevention, and VPN. These security capabilities have been extended with Cisco ISR Web Security with Cisco ScanSafe for a web security and web filtering solution that requires no additional hardware or client software. Cisco ISR Web Security with Cisco ScanSafe enables branch offices to intelligently redirect web traffic to the cloud to enforce granular security and acceptable use policies over user web traffic. With this solution, you can deploy market-leading web security quickly and easily to protect branch office users from web-based threats, such as viruses, while saving bandwidth, money, and resources. You might want to use Cisco ISR Web Security with Cisco ScanSafe to:

Enforce granular security and acceptable use policy for branch office users without using on-premise hardware or backhauling all branch office traffic to headquarters. Provide zero-day threat protection driven by Outbreak Intelligence, which uses dynamic reputation- and behavior-based analysis. Cisco ISR G2 family of products Cisco ScanSafe

Cisco ISR Web Security with Cisco ScanSafe is a solution that works with the following Cisco products:

After Cisco ISR Web Security with Cisco ScanSafe is configured, you can use the ScanSafe administration portal, ScanCenter, to create, edit, and manage the ScanSafe account and all policies.

Benefits of Using Cisco ISR Web Security with Cisco ScanSafe


This section describes many of the benefits of using Cisco ISR Web Security with Cisco ScanSafe:

Lower total cost of ownership. Cisco ISR Web Security with Cisco ScanSafe helps you avoid costs associated with deployment and maintenance of on-premise software and hardware. Leading security and peace of mind. Real-time cloud-based scanning blocks malware and inappropriate content before it reaches the network. Scalability and availability. Global network processes high volumes of web content at high speeds, everywhere, for a true global solution that is always available. Integration with other Cisco security products. Cisco ISR Web Security with Cisco ScanSafe integrates with Cisco AnyConnect to offer a web security solution for users both on and off the network. Consistent, unified policy. Acceptable Use Policy (AUP) can be applied to all users regardless of location, simplifying management. Predictable operational expenses. Clients can plan capacity and budget. Centralized management and reporting with Cisco ScanCenter. Cisco ScanCenter is a web-based interface that integrates all management and reporting capabilities. Global web security policy can be created and enforced across the organization, even down to the group or user level, and any changes to policy are applied in real time. ScanCenter includes real-time reporting.

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

Overview

Licensing
The Cisco ISR Web Security with Cisco ScanSafe feature is available in the Security SEC K9 license bundle. For more information about and configuring the Security SEC K9 license bundle, go to:
http://www.cisco.com/en/US/prod/collateral/routers/ps10616/white_paper_c11_556985_ps105 37_Products_White_Paper.html

Supported Platforms
Table 1 lists the platforms that support Cisco ISR Web Security with Cisco ScanSafe.
Table 1 Platform Support

Product Cisco 800 Series Routers

Supported Platforms Cisco 819, 860VAE, 880VA, 881, 881W, 887V, 888E, 888EA, 888, 888W, 891, 891W, 892, 892F, 892FW, 892W Cisco 1905, 1921, 1941 and 1941W Cisco 2901, 2911, 2921 and 2951 Cisco 3925, 3925E, 3945, 3945E

Cisco 1900 Series Integrated Services Routers Cisco 2900 Series Integrated Services Routers Cisco 3900 Series Integrated Services Routers

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

Understanding How Cisco ISR Web Security with Cisco ScanSafe Works

Understanding How Cisco ISR Web Security with Cisco ScanSafe Works
When Cisco ISR Web Security with Cisco ScanSafe is enabled and the ISR is configured to redirect web traffic to ScanSafe, the ISR transparently redirects HTTP and HTTPS traffic to the ScanSafe proxy servers based on the source or destination IP address and port. The ScanSafe proxy servers scan the content and either allow or block the traffic based on configured policies to enforce acceptable use and protect clients from malware. The ISR authenticates and identifies users making web traffic requests using currently configured authentication and authorization methods. It encrypts and includes the user credentials (including user names and user groups) in the traffic it redirects to ScanSafe. ScanSafe uses the user credentials to determine which policies to apply to which users and for user based reporting. You can configure the ISR so that some web traffic goes directly to the originally requested web server and does not get scanned by ScanSafe. For more information, see Bypassing Scanning, page 5. You can configure a primary and a backup ScanSafe proxy server. The ISR polls each of them regularly to check for availability. You can change this polling interval using the CLI.

Communication between Clients, the ISR, and ScanSafe


Clients are any device that connect to an ISR, either directly or indirectly. When a client sends an HTTP or HTTPS request, the ISR receives it, authenticates the user, and retrieves the group name from the authentication server. It maintains an IP address to user name mapping for future reference. After identifying the user, the ISR determines whether to send the HTTP/ HTTPS client request to ScanSafe by checking the Cisco IOS Firewall Port to Application Mapping (PAM) and whitelist database.

Note

For information about PAM, see the Configuring Port to Application Mapping chapter in Cisco IOS Security Configuration Guide: Securing the Data Plane. For more information about the whitelist database, see Bypassing Scanning, page 5. When the ISR sends a client request to ScanSafe, it acts as an intermediary between the client and ScanSafe by creating a separate connection with the ScanSafe proxy server. When it communicates with ScanSafe, it changes the source and destination IP addresses and the source and destination ports in the client request and adds ScanSafe specific HTTP headers and then sends the modified request to ScanSafe. The ScanSafe HTTP headers include various kinds of information, including the user name and user group. For more information about the headers, see ScanSafe Headers, page 5. When ScanSafe receives an HTTP/HTTPS request from an ISR, it uses the information and user credentials in the ScanSafe HTTP headers to apply the appropriate policies to the user. After applying the configured policies, ScanSafe either blocks or allows the client request:

Allows. When ScanSafe allows the client request, it contacts the originally requested server and retrieves the data. It forwards the server response to the ISR which then forwards it to the client. The ISR changes the source and destination IP addresses and ports in the response as appropriate. Blocks. When ScanSafe blocks the client request, it sends an HTTP 302 Moved Temporarily response that redirects the client application to a web page hosted by ScanSafe that notifies the user that access has been blocked. The ISR forwards the 302 response to the client while changing the source and destination IP addresses and ports.

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

Understanding How Cisco ISR Web Security with Cisco ScanSafe Works

Note

Administrators can customize the block page using ScanCenter.

You can choose how the ISR handles web traffic when it cannot reach either the primary or backup ScanSafe proxy server. It can block or allow all web traffic. By default, it blocks web traffic.

ScanSafe Headers
When the ISR forwards web traffic to the ScanSafe proxy servers, it includes additional HTTP headers in each HTTP and HTTPS request. ScanSafe uses these headers to obtain information about the customer deployment, including information about the user who originally made the client request as well as information about the ISR that sent the request. For security purposes, the information in the headers is encrypted and then hexadecimal encoded. The headers are encrypted using both asymmetric and symmetric encryption, using the DESede and RSA/ECB/PKCS1Padding algorithms. The ISR adds the following ScanSafe HTTP headers:

X-ScanSafe. This contains a session key that is encrypted using a ScanSafe license (authentication key generated in ScanCenter) and a ScanSafe public key (embedded in the ISR operating system). X-ScanSafe-Data. This contains the data ScanSafe needs. It is encrypted with the session key from the X-ScanSafe header.

For example, the headers in a message might look like the following text:
X-ScanSafe: 35A9C7655CF259C175259A9B980A8DFBF5AC934720BE9374D344F7E584780ECDB9236FF90DF562A79DC4C75 4C3782E7C3D38C76566F0377D5689E25BD62FC5F X-ScanSafe-Data: 8D57AEE5D76432ACAB184AA807D94A7392986FA0D3ED9BEB

Bypassing Scanning
You can configure the ISR so that some approved web traffic is not redirected to ScanSafe for scanning. When you bypass ScanSafe scanning, the ISR retrieves the content directly from the originally requested web server without contacting ScanSafe. When it receives the response from the web server, it sends the data to the client. This is also called whitelisting traffic. You can bypass scanning based on the following client web traffic properties:

IP address. You can bypass scanning for web traffic matching a numbered or named access control list (ACL) configured in the global parameter-map on the ISR. You might want to do this for traffic to trusted sites, such as intranet servers. HTTP based header fields. You can bypass scanning for web traffic matching an HTTP header field configured in a global parameter-map on the ISR. You can match Host and User-Agent header fields. You might want to do this for particular user agents that do not function properly when scanned. Or, you might not want to scan traffic intended for trusted hosts, such as third-party partners.

Bypass scanning for traffic by creating a whitelist database using the content-scan whitelisting command and whitelist subcommand. For more information, see Bypassing Scanning on the ISR, page 12.

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

Understanding How Cisco ISR Web Security with Cisco ScanSafe Works

Working with Multiple ISRs


Typically, a branch office uses one ISR to route network traffic to headquarters and to redirect web traffic to ScanSafe for web security scanning. However, your organization might have multiple branch offices with an ISR in each office. Each ISR may or may not force users to authenticate before granting network access. When the ISR enforces authentication, it includes user group information about the user making the web request from an authentication server. When the ISR does not enforce authentication, it sends no user group information from an authentication server. Instead, you can configure a default user group name for all web traffic using the user-group subcommand when you configure the web security feature on the ISR. Each ISR must be configured with a license (authentication key in ScanCenter). ScanCenter supports company and group authentication keys. When you have multiple ISRs and branches, you can choose the type of ScanSafe authentication key you create and use when you configure each ISR. This depends on whether or not the ISR enforces authentication:

No authentication on ISR. ScanSafe applies the same web policies to all traffic originating from a single ISR. If you want to apply different web policies for traffic from different ISRs, use and generate a group key in ScanCenter for each ISR. Configure a different group key as the license in each ISR configuration. If you want to apply the same web policies for traffic from all ISRs, use and generate a company key in ScanCenter and configure it as the license in each ISR configuration. A company key is a key used by your entire organization. Authentication on ISR. When the ISR enforces authentication, it sends user group information from an authentication server in the redirected web traffic. ScanSafe enables you to apply different web policies for different user groups. Use and generate a company key in ScanCenter and configure it as the license in each ISR configuration. You can choose to apply the same or different ScanSafe policies to different user groups.

For more information on generating ScanSafe authentication keys, see Creating a ScanSafe Authentication Key, page 16.

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

Supported Architectures

Supported Architectures
The following figure shows the topology diagram for Cisco ISR Web Security with Cisco ScanSafe.

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

Configuring Cisco ISR Web Security with Cisco ScanSafe

Configuring Cisco ISR Web Security with Cisco ScanSafe


To use Cisco ISR Web Security with Cisco ScanSafe, you must configure the following products:

Cisco ISR G2 router, using Cisco IOS Release 15.2MT or later. For more information, see Configuring Cisco ISR G2, page 8. For a list of supported platforms, see Supported Platforms, page 3. Cisco ScanSafe. For more information, see Configuring Cisco ScanSafe, page 15.

Note

Cisco ISR Web Security with Cisco ScanSafe support in Cisco IOS 15.2(1)T1 does not support User Authentication NTLM (passive/explicit), Web Auth Proxy, and HTTP Basic.

Configuring Cisco ISR G2


Before you can enable Web Security on the ISR, you must create a company or group key in ScanCenter. For more information on how to do this, see Configuring Cisco ScanSafe, page 15. To enable Web Security on the ISR, you must complete the following steps:
1.

Enable content scanning on the egress interface. For more information, see Enabling Content Scanning on the ISR, page 8. Configure the parameters for the Web Security feature on the ISR. For more information, see Configuring Web Security Features, page 9. Optionally, you can bypass scanning for some web traffic. For more information, see Bypassing Scanning on the ISR, page 12. Optionally, you can configure a default user group assigned to all clients when the ISR cannot determine users credentials. For more information, see Configuring a Default User Group, page 12. Optionally, you can configure authentication on the ISR if you want to apply different web security policies to different user groups. For more information, see Configuring Authentication, page 13. Optionally, you can configure the ISR to prompt users to accept an acceptable use policy agreement before browsing the web. For more information, see Enforcing Acceptable Use Policy Agreement, page 15.

2.

3.

4.

5.

6.

Enabling Content Scanning on the ISR


Enable content scanning on the ISR on the egress interface. The content scanning process is the IOS process that redirects client web traffic to Cisco Scansafe Cloud Web Security. Do this by adding the following configuration to the interface CLI command:
content-scan out

For example, you might use the following configuration for an egress interface:

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

Configuring Cisco ISR Web Security with Cisco ScanSafe

interface GigabitEthernet0/0 ip address 128.107.150.75 255.255.255.0 ip nat outside ip virtual-reassembly in ip virtual-reassembly out content-scan out duplex auto speed auto

Note

If you enable content scanning on an interface with Cisco Wide Area Application Services (WAAS) or Multiprotocol Label Switching (MPLS), verify that Cisco ISR Web Security does not apply to the same network traffic as either WAAS or MPLS.

Configuring Web Security Features


Configure the parameters for the Web Security feature on the ISR using the following CLI command:
parameter-map type content-scan global

You can use the following subcommands to configure different parameters: Subcommand
[no] server scansafe { primary | secondary } { ipv4 <ip-address> | name <name>} port http <port-no> https <port-no>

Description Configures the server name or IP address of the of primary and secondary ScanSafe proxy servers as well as ports to use for redirecting HTTP and HTTPS requests. By default, ScanSafe uses port 8080 for both HTTP and HTTPS traffic, but you can choose to use different ports for each request type.

[no] timeout {server |session inactivity} <5- 43200>

Configures the amount of time the ISR waits before polling the ScanSafe proxy server to check its availability. Default timeout is 300 seconds. The ISR checks the primary server first and if it fails, it uses the secondary server as the active ScanSafe proxy server. The ISR automatically falls back to the primary server as long as it is successfully active for three consecutive timeout periods.

[no] server scansafe on-failure {allow-all | block-all}

Determines how to handle client traffic when the ISR cannot reach either configured ScanSafe proxy server. You can block or allow all client web traffic. Default is block.

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

Configuring Cisco ISR Web Security with Cisco ScanSafe

Subcommand
[no] license {0 | 7} <16 byte Hex key>

Description Configures the license key that the ISR sends to the ScanSafe proxy servers to indicate from which organization the request comes. The license is a 16 byte hexadecimal key. Use one of the following values for the prefix:

0. This value indicates the license is unencrypted. 7. This value indicates the license is encrypted.

The license key you specify here comes from ScanCenter. In ScanCenter, you can create either a company or group key. For more information on how to do this, see Configuring Cisco ScanSafe, page 15.
[no] source {ipv4 <ip-address> | interface <interface> }

Configures the interface or IP address the ISR uses to originate all packets it sends to the ScanSafe proxy servers. Any IP address configured here should match one that is associated with the egress interface on which content-scan is configured. For more information, see Enabling Content Scanning on the ISR, page 8.

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

10

Configuring Cisco ISR Web Security with Cisco ScanSafe

Subcommand

Description

[no] user-group { <groupname> [username <username>] This subcommand is optional. You can use this | include <name> | exclude <name> } subcommand to manage authentication user and

group information the ISR sends to ScanSafe in the HTTP headers for redirected client requests.

Groupname. You can enter a default group name that applies to all users when there is no specific group name for a client request from authentication. The group name is case sensitive. The ISR prepends the group name with LDAP:// in the HTTP header when it redirects web traffic to ScanSafe. Any group name entered here must match a configured group name in ScanCenter. Optionally, you can also configure a default user name that applies to all users when there is no specific user name for a client request from authentication. The user name is case sensitive.

Note

This group name takes precedence over any default user group configured using the user-group default IOS CLI command. Include and exclude. By default, the ISR lists all authentication user groups to which a user belongs when it redirects a client request to ScanSafe. However, you can use the include and exclude options to filter which user groups the ISR sends to ScanSafe. Use the exclude option to send all authentication user groups except for the ones specified with the exclude option, and use the include option to create a list of the only authentication user groups sent.

[no] logging

Enables IOS syslogs for this feature.

For example, you might use the following configuration:


parameter-map type content-scan global server scansafe primary ipv4 72.37.244.147 port http 8080 https 8080 server scansafe secondary ipv4 80.254.145.147 port http 8080 https 8080 license 0 F12A588FE5A0A4AE86C10D222FC658F3 source interface GigabitEthernet0/0 timeout server 30 user-group ciscogroup username ciscouser logging server scansafe on-failure block-all

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

11

Configuring Cisco ISR Web Security with Cisco ScanSafe

Bypassing Scanning on the ISR


You can configure the ISR so that some approved web traffic does not get redirected to ScanSafe for scanning. For more information, see Bypassing Scanning, page 5. Bypass scanning for traffic using the content-scan whitelisting command (a global command) and whitelist subcommand. Use the following syntax for the whitelist subcommand:
content-scan whitelisting [no] whitelist { notify-tower | acl <aclno or name> | {header {user-agent | host regex <pmap>}}

You can use the following subcommands to configure the whitelist subcommand: Subcommand
notify-tower

Description Specifies if the ScanSafe servers need to be notified regarding the whitelisting. Applicable to all whitelisting variants except IP based whitelisting. The IP addresses used will be the pre-NAT IP addresses for matching the access control list. Specifies the whitelisting attribute on the HTTP header that matches the configured regular expression.

acl <aclno or name> header {user-agent | host regex <pmap>

For example, you might use the following configuration:


parameter-map type regex site_param pattern google pattern cisco parameter-map type regex browser_param pattern Chrome content-scan whitelisting whitelist header user-agent regex browser_param whitelist header host regex site_param

For more information about the parameter-map type regex CLI command, see the Cisco IOS Security Command Reference. See Additional Documentation, page 23.

Configuring a Default User Group


You can configure a default user group to assign to each client when the ISR cannot determine the credentials for a user. Define a default user group using the following CLI command:
[no] user-group default <name>

The ISR uses the default user group name here to identify all clients connected to a specific interface on the ISR when it cannot determine the users credentials. You might want to define a default user group so that all traffic redirected to the ScanSafe proxy servers are assigned a user group so particular ScanSafe policies can be applied appropriately. For example, you might want to create a default user group for guest users on the wireless network. Only one user group can be defined per interface.

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

12

Configuring Cisco ISR Web Security with Cisco ScanSafe

Note

content-scan global

Any user group configured using the user-group sub command in the parameter-map type command takes precedence over any default user group configured using the user-group default IOS CLI command.

Configuring Authentication
This section provides an overview of the IOS CLI commands to run to configure authentication on the ISR if you want it to pass user group information to the ScanSafe proxy servers. This section does not give a detailed explanation of each command. For more information about these CLI commands, see the Cisco IOS Security Command Reference. See Additional Documentation, page 23. When using NTLM authentication, you can choose two modes, active or passive. Passive mode is noted by the keyword passive in the ip admission CLI command, and active mode is noted by the absence of the keyword passive. NTLM active causes the ISR to collect both the username and password from the client during the handshake process and verify both against the Active Directory domain controller. When NTLM passive is used, the ISR assumes that the password it receives (either transparently or explicitly) is correct, which reduces the number of transactions between the ISR and the domain controller. Note that in NTLM passive mode, if a user supplies a proper username, the password is assumed to be correct and the user is granted the level of authentication assigned to the given username. To configure authentication on the ISR:
Step 1

Use the aaa new-model CLI command to enable the authentication commands used in this section.

Note Step 2 Step 3 Step 4 Step 5

When you enable new-model, you cannot disable it.

Define an LDAP server using the ldap server CLI command. Define one or more LDAP groups using the aaa group server ldap CLI command.
authentication login, aaa authorization,

Define the authentication, authorization, and accounting (AAA) services on the ISR using the aaa and aaa accounting CLI commands. Define the IP admission parameters using the ip admission CLI command:
a.

Define a virtual proxy URL IP address using the virtual-ip subcommand. You can specify any IP address that does not correspond to an existing machine, such as 1.1.1.1. This enables clients to be redirected to a virtual proxy for authenticating users using either the NTLM or HTTP-Basic authentication methods. Optionally, you can also define a virtual proxy hostname using the virtual-host subcommand. Typically, the virtual proxy hostname is a single word non-qualified domain name, such as webproxy. For example, you might use the following command:
ip admission virtual-ip 1.1.1.1 virtual-host webproxy

b.

Define one or more authentication methods to use to authenticate users using the ntlm or http-basic key words.
ntlm. When you use the NTLM authentication method, the ISR tries to retrieve user credentials

transparently from the client application without prompting end users. If the client application cannot send user credentials transparently, then it prompts users to enter their user name and password. For more information, see Transparently Authenticating Users with NTLM, page 14.

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

13

Configuring Cisco ISR Web Security with Cisco ScanSafe

http-basic. Client applications always prompt users to enter their credentials. c. d.

Define the order of authentication methods to use to authenticate users using the order subcommand. Define which AAA method lists to use for assigning authentication, authorization, and accounting using the method-list subcommand. The method lists you specify in this step should come from the services defined in Step 4.

Step 6 Step 7

Apply the IP admission rule from Step 5 to the internal interface using the interface CLI command and ip admission subcommand. Enable the HTTP server on the ISR using the ip http server CLI command. This allows clients to communicate with the ISR using HTTP when passing authentication credentials. This is necessary for the NTLM and HTTP-Basic authentication methods.

Note

You can pass authentication credentials using HTTPS instead of HTTP using the ip http secure-server CLI command instead. However, when you do that, some clients might encounter SSL errors because the ISR uses a test server certificate. To avoid these SSL errors, replace the certificate on the ISR with a certificate signed by a certificate authority that the clients trust.

Transparently Authenticating Users with NTLM


When the ISR uses NTLM to authenticate users, it tries to retrieve user credentials transparently from the client application without prompting end users. If the client application cannot send user credentials transparently, then it prompts users to enter their user name and password. When the ISR performs NTLM authentication, it redirects the client browser from the originally requested URL to the virtual proxy URL configured on the ISR (either by address or hostname, whichever is configured). Once the browser redirects users to the virtual proxy URL, they are prompted for authentication credentials. When they are successfully authenticated, they are redirected back to the originally requested URL. Users can be transparently authenticated using NTLM when they access the web from some web browsers on a Windows operating system. For example, they can be transparently authenticated from Microsoft Internet Explorer, Mozilla Firefox, and Google Chrome on Windows, but they will be prompted for authentication credentials from Internet Explorer on MacOS and Apple Safari and Opera on any operating system. However, to ensure users are transparently authenticated using Internet Explorer, Firefox, and Chrome on Windows, you must complete the following steps:
Step 1

Define a virtual proxy URL on the ISR using the ip admission command, either by IP address (virtual-ip subcommand) or hostname (virtual-host subcommand). For example, to define both an IP address and a hostname for the virtual proxy URL, use the following command:
ip admission virtual-ip 1.1.1.1 virtual-host webproxy

Note

You can specify any single word hostname as the virtual proxy hostname, and you can specify any IP address that does not correspond to an existing machine as the virtual proxy IP address.

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

14

Configuring Cisco ISR Web Security with Cisco ScanSafe

Step 2

Configure the third party software to ensure it transparently authenticates users using the virtual proxy URL. Internet Explorer and Chrome. Perform either of the following steps: If a virtual proxy hostname is defined, you can create a DNS A record resolving the virtual proxy hostname specified in Step 1 (webproxy) to the virtual proxy IP address specified in Step 1 (1.1.1.1). This method works because Internet Explorer and Chrome consider a single word hostname as a local intranet server. Or: Add the virtual proxy URL to the Internet Explorer Local Intranet Zone. If only the virtual proxy IP address is defined, then add its IP address (for example, http://1.1.1.1) to the Local Intranet Zone. If the virtual proxy hostname is defined, then add its hostname (for example, http://webproxy) to the Local Intranet Zone. For more information on adding a URL to the Internet Explorer Local Intranet Zone, see your Internet Explorer documentation. Firefox. Edit the Mozilla Firefox preference that determines which sites are allowed to automatically authenticate using NTLM and add the virtual proxy URL configured in Step 1. Typically, this is the network.automatic-ntlm-auth.trusted-uris configuration setting. For more information on editing the Firefox configuration, see your Firefox documentation, or search online.

Enforcing Acceptable Use Policy Agreement


Optionally, you can configure the ISR so that users accessing the web must click to agree to an acceptable use policy before browsing the web. You might want to do this to warn users that their web traffic is being scanned by Cisco ScanSafe. Acceptable use policy agreement enforcement works whether or not the ISR authenticates users. However, the only authentication type it works with is web form based authentication (not NTLM or HTTP Basic, for example). To enforce users to agree to the acceptable use policy agreement, use the Consent feature in IOS. For more details on the Consent feature, see the Authentication Proxy Configuration Guide.

Configuring Cisco ScanSafe


Configure ScanSafe using its web administration portal, ScanCenter. To configure Cisco ScanSafe to work with the ISR, you must complete the following steps:
1.

Create a ScanSafe authentication key. For more information, see Creating a ScanSafe Authentication Key, page 16. Define ScanSafe user groups. For more information, see Defining ScanSafe User Groups, page 16. Create ScanSafe web policies. For more information, see Creating ScanSafe Policies, page 17.

2.

3.

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

15

Configuring Cisco ISR Web Security with Cisco ScanSafe

4.

Configure the Malware Service options in ScanCenter. For more information, see the Malware Service chapter in the ScanCenter Administrator Guide. View reports in ScanCenter as desired. For more information, see the Reporting chapter in the ScanCenter Administrator Guide.

5.

Creating a ScanSafe Authentication Key


In ScanCenter, navigate to the Admin page and create either a company or group authentication key. The type of key you create depends on your network environment. For more information on the type of key to create, see Working with Multiple ISRs, page 6. Figure 1 shows where you can create and edit a company key on the Admin page in ScanCenter.
Figure 1 Creating a Company Key in ScanCenter

For more information on how to create keys in ScanCenter, see the Authentication section in the Administration chapter in the ScanCenter Administrator Guide.

Defining ScanSafe User Groups


If the ISR enforces authentication and you want to create different web policies for each user group, or if you configured a different group key for different ISRs, you need to define user groups in ScanCenter. You can define the following types of groups:

Directory. Directory groups can be Windows Active Directory groups or LDAP groups. Custom. Custom groups enable you to create a group containing any users, regardless of their active directory or LDAP group.

In ScanCenter, create user groups on the Admin page. For more information, see the User Management section in the Administration chapter in the ScanCenter Administrator Guide.

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

16

Configuring Cisco ISR Web Security with Cisco ScanSafe

Creating ScanSafe Policies


ScanCenters Web Filtering Service enables you to create different web policies to enforce acceptable use policies for web traffic. To create a policy, you must first configure web filters and schedules that apply to policies. Web filters are used to control content passing into the network. Schedules are used to determine when policy rules are applied. Configure web filters, schedules, and policies on the Web Filtering page in ScanCenter. For more information on configuring these objects, see the Web Filtering Service chapter in the ScanCenter Administrator Guide.

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

17

Related CLI Commands

Related CLI Commands


IOS includes other CLI commands you can use to manage and troubleshoot the content scanning process on the ISR. Command
show content-scan session active show content-scan session history <1-512> show content-scan statistics show content-scan summary

Description Displays all active content scanning process sessions. Displays the history of content scanning process sessions, up to 512 terminated sessions. Displays content scanning process statistics. Displays generic ScanSafe related details, like active/standby ScanSafe information etc. The * signifies which is the chosen active server. Enable the debug messages which display content scanning process function traces, events, packet flow and errors. Clears content scanning process statistics.

debug content-scan {function-trace | event | packet | error} clear content-scan statistics

For more information about these CLI commands, see the Cisco IOS Security Command Reference. See Additional Documentation, page 23.

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

18

Logging

Logging
The syslogs in IOS include messages that relate to the content scanning process. It includes the following syslog messages: Message %CONT_SCAN-6-START_SESSION Description This message indicates that a flow has been created by the content scanning process. This syslog message is ratelimited. This message indicates that a flow has been removed by the content scanning process. This syslog message is ratelimited. This message indicates that the primary or secondary ScanSafe proxy server is up or down. When the server is up already, the is up message only appears after a configured timeout value, which by default is 300 seconds. This message indicates that both the primary and secondary ScanSafe proxy servers are down and therefore the content scanning process has been disabled. This message indicates that the new ScanSafe proxy server has been selected as the primary. This message indicates that a flow has not been scanned by ScanSafe because the original client request matched the configured whitelist. It includes the reason the client request matched the whitelist. This syslog message is ratelimited.

%CONT_SCAN-6-STOP_SESSION

%CONT_SCAN-3-CONNECTIVITY

%CONT_SCAN-3-UNREACHABLE

%CONT_SCAN-3-TOWER-CHANGE %CONT_SCAN-6-WHITE_LIST

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

19

Sample ISR Configuration

Sample ISR Configuration


This section includes sample ISR IOS configurations.

Example 1
This configuration uses NTLM authentication and causes the ISR to query for the Active Directory sAMAccountName instead of the Common Name (CN) for the IOS username attribute.
aaa new-model ! ! aaa group server ldap scansafe-ldap-group server scansafe-ldap-server ! ! aaa authentication login ss-aaa group scansafe-ldap-group aaa authorization network ss-aaa group scansafe-ldap-group aaa accounting network ss-aaa none ! ! ip admission virtual-ip 1.1.1.1 virtual-host webproxy ip admission name ssauth ntlm ip admission name ssauth order ntlm ip admission name ssauth method-list authentication ss-aaa authorization ss-aaa accounting ss-aaa ! ! parameter-map type content-scan global server scansafe primary name proxy1.scansafe.net port http 8080 https 8080 license 0 00000000000000000000000000000000 source interface GigabitEthernet0/1 timeout server 30 user-group ciscogroup username ciscouser server scansafe on-failure block-all ! ! interface GigabitEthernet0/0 ip address 10.20.0.1 255.255.0.0 duplex auto speed auto ip admission ssauth ! ! interface GigabitEthernet0/1 ip address dhcp ip virtual-reassembly in ip virtual-reassembly out content-scan out duplex auto speed auto ! ! ip http server ! ! ldap attribute-map ldap-username-map map type sAMAccountName username ! !

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

20

Sample ISR Configuration

ldap server scansafe-ldap-server ipv4 10.0.1.250 transport port 3268 attribute map ldap-username-map bind authenticate root-dn cn=scansafe,cn=users,dc=test,dc=localdomain password 7 11180E00071D02 base-dn cn=users,dc=test,dc=localdomain search-filter user-object-type top authentication bind-first

Example 2
Content Scanning: (config)#parameter-map type content-scan global (config-profile)#server scansafe primary ipv4 <primary_proxy_IP_address> port http 8080 https 8080 (config-profile)#server scansafe secondary ipv4 <secondary_proxy_IP_address> port http 8080 https 8080 (config-profile)#license 0 <license_key> (config-profile)#source interface G0/0 (config-profile)#timeout session-inactivity 60 (config-profile)#user-group <default_group_name> username <default_user_name> (config-profile)#server scansafe on-failure block-all (config-profile)#exit

Whitelisting Variable: (config)#parameter-map type regex <pattern_name> (config-profile)#pattern <white_listed_host> (config-profile)#content-scan whitelisting (config-profile)#whitelist header host regex <pattern_name> (config-profile)#exit Outbound Int: (config)#int G0/0 (config-if)#content-scan out (config-if)#exit AAA Setup: (config)#aaa new-model (config)#aaa group server ldap <LDAP_group_name> (config-ldap-sg)#server <LDAP_server_name> (config-ldap-sg)#exit (config)#ldap server <LDAP_server_name> (config-ldap-server)#ipv4 <IP_address_of_ADServer> (config-ldap-server)#transport port 3268 (config-ldap-server)#bind authenticate root-dn CN=<ldap_access_username>,CN=Users,DC=mydomain,DC=com password <ldap_access_password> (config-ldap-server)#base-dn CN=Users,DC=mydomain,DC=com (config-ldap-server)#search-filter user-object-type top (config-ldap-server)#authentication bind-first (config-ldap-server)#exit

Config the Onboard AAA:

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

21

Sample ISR Configuration

(config)#aaa authentication login ss-aaa group <LDAP_group_name_defined_above> (config)#aaa authorization network ss-aaa group <LDAP_group_name_defined_above> (config)#aaa accounting network ss-aaa none (config)#ip admission virtual-ip 1.1.1.1

Then, for basic authentication: (config)#ip admission name <ip_admission_name> http-basic inactivity-time 2 (config)#ip admission name <ip_admission_name> order http-basic (config)#ip admission name <ip_admission_name> method-list authentication ss-aaa authorization ss-aaa accounting ss-aaa Or, for NTLM Passive: (config)#ip admission name <ip_admission_name> ntlm passive inactivity-time 2 (config)#ip admission name <ip_admission_name> order ntlm (config)#ip admission name <ip_admission_name> method-list authentication ss-aaa authorization ss-aaa accounting ss-aaa Or, for NTLM Active: (config)#ip admission name <ip_admission_name> ntlm inactivity-time 60 (config)#ip admission name <ip_admission_name> order ntlm (config)#ip admission name <ip_admission_name> method-list authentication ss-aaa authorization ss-aaa accounting ss-aaa Apply IP admission rule to internal interface: (config)#int G0/1 (config-if)#ip admission <one_of_the_ip_admission_names_defined_above> (config-if)#exit

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

22

Additional Documentation

Additional Documentation
This document is intended to serve as an overview of the entire Cisco ISR Web Security with Cisco ScanSafe solution. It does not include detailed steps on configuring each product component, nor does it list all potential interactions with other features of each component. For detailed information on how to install, configure, and upgrade each component in the solution, see the release notes and user guides for each product. Cisco ScanSafe Cloud Web Security documentation home page:
http://www.cisco.com/en/US/products/ps11720/tsd_products_support_series_home.html

Click the link for Configuration Guides, and then click the link for the ScanCenter Administrator Guide. Cisco IOS 15.2M&T documentation home page:
http://www.cisco.com/en/US/products/ps11746/tsd_products_support_series_home.html

Security Configuration Guide: Zone-Based Policy Firewall Cisco IOS Release 15.2M&T, which contains information on the Cisco ISR Web Security with Cisco ScanSafe feature in the ISR:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-2mt/sec-data-zbf -15-2mt-book.html

A complete list of the Securing the Data Plane configuration guides, including the Zone-Based Policy Firewall document:
http://www.cisco.com/en/US/docs/ios-xml/ios/security/config_library/15-2mt/secdata-15-2mtlibrary.html

A complete list of the Cisco IOS Security Command Reference documents listed under the Security and VPN section:
http://www.cisco.com/en/US/products/ps11746/prod_command_reference_list.html

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

23

Contacting Support

Contacting Support
Because the Cisco ISR Web Security with Cisco ScanSafe feature covers multiple Cisco products, you might need to contact a different support group for help resolving issues related to Cisco ISR Web Security with Cisco ScanSafe. Each product is supported by a different product support team which is located in either Cisco TAC (Technical Assistance Center) or Cisco ScanSafe Customer Support. Both Cisco TAC and Cisco ScanSafe Customer Support have communication measures in place to work with each other to resolve Cisco ISR Web Security with Cisco ScanSafe related issues. However, when you encounter a Cisco ISR Web Security with Cisco ScanSafe issue, apply your best judgment to identify where the problem might exist and contact the appropriate support team when possible. This can help decrease the time required to resolve the issue.

For problems related to the Cisco ISR, open a case with Cisco TAC at the following location:
http://tools.cisco.com/ServiceRequestTool/create/launch.do

For problems related to ScanCenter, open a case with Cisco ScanSafe Customer support. Contact information can be found in ScanCenter under Support > Resources > Contact.

This document is to be used in conjunction with the documents listed in the Additional Documentation section. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. 2012 Cisco Systems, Inc. All rights reserved. Printed in the USA on recycled paper containing 10% postconsumer waste.

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

24