Cisco WSA Deploying Proxy Services

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the 3th blog in the series about the proxy configuration.
There are a two proxy modes:

  • Explicit Forward Mode
  • Transparent Mode

In Explicit Forward Mode the client does have an Proxy configuration. There is no configuration needed on the network infrastructure (routers/switches). Authentication is easy and there are three methods for providing the proxy information:

  • Automatic Proxy script
  • Enter the proxy server IP address
  • Automatic detect settings using WPAD protocol

In transparent mode, there is no configuration needed on the clients. The network infrastructure redirects the traffic (WCCP). Authentication could be an issue.
Redirection options are:

  • Web Cache control protocol (WCCP, used in Cisco ASA, ASR and Catalyst switches)
  • Policy based routing
  • Layer 4 switch
  • Layer 7 switch (like a Citrix Netscaler)

WCCP is the most used redirection option for transparant proxies. For more information about WCCP and the configuration, check this link.
PAC files
PAC files are used in Explicit Forward Mode. The PAC file link is configured on the clients’ proxy settings. If you need help with creating PAC files, check this link.
You can host the PAC file on any webserver, but hosting on the WSA is possible too. Click Security Services > PAC File Hosting  and upload your PAC file. It’s recommended to host the PAC file on a seperate web server.

With the CLI command webcache you can force caching for a specific website.
IP Spoofing
When in transparant mode, the WSA can be configured to spoof the client IP address. This allowes upstream proxies to identify client authentication.
X-Forwarded-For headers
This header is used for client information detection. The WSA is default configured to suppress this header
VIA headers are used to detect proxy forwarding loops. VIA headers are default enabled and recommended in a multiple-WSA deployment.
Error Notifications 
EUN pages (Error Notifications) can be customized by CLI with the advancedproxyconfig  command. Keep in mind that the pages are  in HTML. There are default pages in a few languages: English, German, Spanish, French, Italian, Japanese etc etc (no dutch).
There are two FTP options:

  • Explicit Forward proxy
  • Transparant proxy

In explicit forward proxy mode, the proxy listens on port 8021. Proxy authentication is available.
In transparant mode, the client connects on port 21, but proxy authentication is not available.
Configuration of FTP settings, click  Security Services > FTP Proxy Settings. You can configure the Proxy listening port (default 8021) and passive/active mode port ranges.
Don’t forget to configure the FTP proxy in your FTP client if you use the Explicit Forward mode.

Leave a Reply

Your email address will not be published.