Sunday, July 31, 2016

How to Not Suck at Web Filtering: Cisco's Web Security Appliance Part (1)

So I'll start off by saying, configuring the WSA isn't too terribly hard. What seems to be tricky, is getting all the components working together in a way that provides a seamless experience for users, while providing accurate reporting and filtering. In this two parter, I'm going to attempt to get us from a based environment (Active Directory Domain, (1) DC, (1) Client PC, and an ASA Firewall) all the way to having the following requirements met: 

  • HTTP Filtering
  • HTTPS Filtering/Decrypting
  • Transparent Proxy 
  • AD Integration
  • Single Sign-on

Again, none of this is too difficult, there's just a lot of moving pieces. Sadly, many of those pieces are on the Systems side. So buckle up! In this first part, we're going to kick out all the server side stuff that makes web filtering as transparent and effective as possible. I know, I know "But JJoooooonnnnnnnn, this is a networking blog!! I don't like doing systems work!!"

I don't like it anymore than you. That said, it's important to know all these things so you can accurately make demands of your Server team! Also, if you want a working lab or POC, you'll have to do this stuff anyway. That said, I'm not a fan of text only guides for Windows. They just don't translate well, AND I loathe taking a million screen shots. So, I'll outline the general tasks below and then link to my YouTube video for this 1st part.

  1. Windows Server 2008 (or newer) Domain Controller
  2. Windows 7 (or newer) client, joined to the domain
  3. Cisco ASA or IOS Router with WCCP support
  4. Cisco Web Security Appliance (using WSAv w/45 day demo license for this post)

  • Active Directory Certificate Services (Enterprise Root)
    • Web Enrollment supported
  • Root CA certificate for WSA (or any cert with Subject Type=CA)
  • Server Certificate for WSA
  • URL to WSA in Window's "Trusted Sites"
    • Trusted Sites set to "Automatic Logon with Current Username and Password"
    • Can be done with GP, login script, or manually.
  • WSA joined to AD domain
  • Identification Policies for AD Users
    • And whatever access policies based on users/groups.
  • WCCP configured on router/firewall to redirect http/https traffic to WSA.