I am slowly starting to get to grips with the WSA, the System Setup Wizard crashes out at the same place every time, but I seem to be making my way around that.
Anyway, I have been thinking about how much you actually need to know about the WSA in the written and lab exams, and I don’t think it’s a huge amount.
Having a look at the written exam topics, its very brief:
5.14 Cisco Web Security Appliance and Cisco Email Security Appliance
As for the lab, well, that’s a little more concise:
- 3.3 Cisco WSA
- 3.3.a Implement WCCP
- 3.3.b Active Directory integration
- 3.3.c Custom categories
- 3.3.d HTTPS configuration
- 3.3.e Services configuration (web reputation)
- 3.3.f Configure proxy bypass lists
- 3.3.g Web proxy modes
- 3.3.h Application visibility and control
The WCCP thing goes together with configuring on a router or firewall endpoint, we’ll come back to AD integration in a moment, but then we have custom categories, HTTPS and the rest of it – all of which are very much point and click.
So, let’s return to AD.
Here’s where the confusing part is. Have a look at the software versions for the v4 CCIE Security:
- Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T
- Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE
- Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x
- Cisco IPS Software Release 7.x
- Cisco VPN Client Software for Windows, Release 5.x
- Cisco Secure ACS System software version 5.3x
- Cisco WLC 2500 Series software 7.2x
- Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x)
- Cisco WSA S-series software version 7.1x
- Cisco ISE 3300 series software version 1.1x
- Cisco NAC Posture Agent v4.X
- Cisco AnyConnect Client v3.0X
There is a notable exception, and that is any form of Windows server.
This does limit down what is required, and puts the onus back onto locally created accounts, and puts greater weight on configuring WCCP.
While I appreciate that only someone who has actually sat the CCIE Security exams can confirm/deny this, I also appreciate that in doing so they would be in danger of breaking an NDA, but it would be good to find out if I am right or not! Feel free to comment below.
Setting up WCCP is very straight forward on the WSA.
Let’s do this.
So I have my VM running inside of UNetLab, and it points me to use the System Setup Wizard.
We start off with the basics, like hostname and DNS:
Next, we tell it where it is in the network (i.e. behind another proxy or not)
Then I configure the IP addresses:
Then this happens, every time.
Switching to the console and grepping the GUI log (type in “grep” and it will list the files you can read, and select by the number), it shows the following:
Critical: An application fault occurred: ('system_setup/wsassw_network_proxy.py process|290', "", "'Management'", '[util/Aquarium.py screenLoop|409] [util/InternalLibrary.py inverseExtend|328] [util/InternalLibrary.py __call__|746] [screen/Controller.py __call__|25] [util/InternalLibrary.py __call__|746] [screen/CommonController.py __call__|57] [util/InternalLibrary.py __call__|746] [screen/AppController.py __call__|191] [util/InternalLibrary.py __call__|748] [system_setup/wsassw_network_proxy.py __call__|33] [screen/WizardStep.py __call__|16] [screen/WizardStep.py callWizard|8] [system_setup/wsassw_wizard.py __call__|103] [screen/Wizard.py __call__|59] [screen/WizardStep.py run|21] [screen/Controller.py executeAction|67] [screen/WizardStep.py doNextAction|52] [screen/WizardStep.py validateAndProcess|79] [system_setup/wsassw_network_proxy.py process|290]')
No idea what that is all about.
Anyway, once you return to the default screen, you can click on Commit changes, and it seems pretty solid.
So moving on (with fingers crossed), WCCP can be set up in a few steps.
From the Network menu, select Transparent redirection:
The default will be an L4 device, so change it to WCCP v2 router, and then you can click on Add Service:
Fill in the boxes, giving it a profile name, either selecting the standard service (where you’ll have to refer to it as “web-cache” in the router), or give it a service ID. Set the port numbers, and IP address of the WCCP router (very important), and if you want, set a password for the service. I am using “wsawccp” as the password.
Once done, it’ll appear in the WCCP v2 Services list:
Commit the changes:
All looks good.
This is however only half the story, we need to set up the ASA for the service, though.
I’ll cover that in a different post.