The following benefits apply to the Cisco Integrated Service Routers Generation 2 (ISR G2) and Cisco Cloud Web Security solution:

• Lower total cost of ownership: Helps customers avoid costs associated with deployment and maintenance of on-premise software and hardware.
• Leading security: Real-time cloud-based scanning blocks malware and inappropriate content before it enters the network.
• Scalability and availability: The global network processes high volumes of web content at high speeds.
• Integration with other Cisco security products: Cisco ISR G2 with Cloud Web Security integrates Cisco AnyConnect to offer a web security solution for users both on and off the network.
• Consistent, unified policy: Acceptable use policy (AUP) that can be applied to all users regardless of their location, simplifying management.

For more information on configuring and using the Cloud Web Security Portal, see the Cisco CWS Portal Administrator Guide.

The Cloud Web Security feature on the Cisco Integrated Services Routers Generation 2 (ISR G2) is available with the Security SECK9 license bundle. For more information on configuring the Security SECK9 license bundle, refer to the Cisco ISR G2 Licensing and Packaging white paper.

The following table lists the Cisco Integrated Services Routers Generation 2 (ISR G2) platforms compatible with Cloud Web Security:

The Cisco ISR G2 and Cloud Web Security Design Guide provides details of supported architectures and best practices.

Clients are any devices that can connect to a Cisco Integrated Services Routers Generation 2 (ISR G2), either directly or indirectly. When a client sends an HTTP or secure HTTP (HTTPS) request, the ISR G2 router receives the request and forwards it to the Cloud Web Security proxy server. If authentication is configured, the ISR G2 router first authenticates the user, and then retrieves the group name from the authentication server. The router maintains the IP address-to-user-name mapping for future reference. After identifying the user (if applicable), the ISR G2 router determines whether to send the HTTP or HTTPS client request to the Cloud Web Security server by checking the Cisco IOS Firewall Port to Application Mapping (PAM) and whitelist database.

For information about PAM, see the “Configuring Port to Application Mapping" chapter in the Context-Based Access Control Firewall configuration Guide.

When the ISR G2 router sends a client request to Cloud Web Security servers, the router acts as an intermediary between the client and Cloud Web Security by creating a separate connection with the Cloud Web Security proxy server. When the ISR G2 router communicates with Cloud Web Security, it changes the destination IP address and destination port in the client request. It also adds Cloud Web Security-specific HTTP headers, which includes information about the username and user group, and then sends the modified request to Cloud Web Security.

You can configure how the ISR G2 router handles web traffic when it cannot reach either the primary or backup Cloud Web Security proxy server. It can either block or allow all web traffic. By default, it blocks web traffic.

Note

ISR G2 routers do not have the ability to detect apps on mobile devices, even if the apps are web-based. As a result, traffic from apps launched on mobile devices and tablets may not be blocked/warned by the configured Cloud Web Security policies. However, if the content is accessed through a web browser, the content is blocked/warned according to specified policies. For example, Facebook access is blocked by the configured Cloud Web Security policies of a company. Employees of this company will not be able to access Facebook through Safari on an Apple iPad; however, they may be able to access Facebook through the Facebook app that is installed on the Apple iPad.

A device that forwards web traffic to Cisco Cloud Web Security proxy servers includes additional HTTP headers in each HTTP and HTTPS request. Cisco Cloud Web Security uses these headers to obtain information about customer deployments, including information about the user who had originally made the client request and the device that sent the request. For security purposes, the information in the headers is encrypted and then hexadecimal encoded.

Cisco Cloud Web Security headers provide both asymmetric cryptography and symmetric cryptography by using industry standard algorithms. Asymmetric encryption is done by using the RSA/ECB/PKCS1Padding algorithm that uses key pairs of 512 bits. Symmetric encryption is done by using the triple “DESede” algorithm with a randomly generated triple Data Encryption Standard (DES) key of 168 bits.

You can configure Cisco Integrated Services Routers Generation 2 (ISR G2) to bypass Cloud Web Security scanning of approved web traffic. When Cloud Web Security scanning is bypassed, the ISR G2 router retrieves the content directly from the originally requested web server without contacting Cloud Web Security. When the router receives a response from the web server, it sends the data directly to the client.

You can bypass Cloud Web Security scanning based on the following client web traffic properties:

• IP address—Bypass the scanning of traffic that matches a numbered or named access control list (ACL) that is configured in the global parameter map on the ISR G2 router. Configure Cloud Web Security traffic for trusted sites, such as intranet servers.
• HTTP header fields—Bypass the scanning of web traffic that matches an HTTP header field that is configured in a global parameter map on the ISR G2 router. You can configure a match based on Host or User-Agent header fields for user agents that do not function properly when scanned. Or, you can bypass scanning traffic that is intended for trusted hosts, such as third- party partners. Note: When HTTP header-based whitelisting is enabled, the ISR G2 router automatically disables/removes TCP options such as windows scaling and timestamps.
• Username or User group—Bypass the scanning for web traffic that matches a username or the user group a user belongs to. You can bypass scanning for a subset of trusted users.

Use the commandscontent-scan whitelisting and whitelist to create a whitelist database for traffic that can bypass scanning.

A typical branch office uses one Cisco Integrated Services Routers Generation 2 (ISR G2) to route network traffic to the headquarter and redirect web traffic to Cloud Web Security for security scanning. Some organizations can have multiple branch offices with one ISR G2 router in each office.

These ISR G2 routers may force users to authenticate before granting access to the network. The ISR G2 authentication sends user-group information about the user who makes the web request from an authentication server. When the ISR G2 router do not enforce authentication, no user group information is sent from the authentication server. Use the command user-group to configure a default user-group name for all web traffic, while configuring Cloud Web Security on the ISR G2 router. All ISR G2 routers must be configured with a license (authentication key) in the Cloud Web Security portal. The Cloud Web Security portal supports company and group authentication keys.

By default, Cloud Web Security forwards both HTTP and secure HTTP (HTTPS) traffic to the Cloud Web Security server. However, you can use whitelisting to bypass HTTPS traffic from Cloud Web Security redirection.

ip access-list extended matchHTTPS
 permit ip any any eq 443
!
content-scan whitelisting
 whitelist acl name matchHTTPS
!

parameter-map type content-scan global 
 server scansafe primary ipv4 72.37.244.147 port http 8080 
 server scansafe secondary ipv4 80.254.145.147 port http 8080
!

Cisco Integrated Services Routers Generation 2 (ISR-G2) uses Windows NT Lan Manager (NTLM) to retrieve user credentials transparently from the client application without prompting end users for authentication. If the client application cannot send user credentials transparently, ISR G2 prompts users to enter credentials.

When using NTLM authentication, you can choose two modes: active or passive. The default mode for NTLM authentication is active. To enable passive mode, configure the command ip admission name rule1 ntlm passive.

In NTLM active mode, ISR G2 routers gather both the username and password from the client during the TCP handshake process and verify these against the Active Directory domain controller. In NTLM passive mode, ISR G2 routers only query for the user group information and do not verify the password, which reduces the number of transactions between ISR G2 routers and the domain controller.

During HTTP basic authentication, client applications always prompt users to enter their credentials.

1.    enable


2.    configure terminal


3.    aaa new-model


4.    ldap server name


5.    ipv4 ip-address


6.    bind authenticate root-dn password [0 string | 7 string] string


7.    base-dn string


8.    authentication bind-first


9.    exit


10.    ldap attribute-map map-name


11.    map type ldap-attr-type aaa-attr-type


12.    exit


13.    aaa group server ldap group-name


14.    aaa authentication login list-name


15.    ip admission admission-name


16.    ip admission virtual-ip ip-address virtual-host hostname


17.    interface type number


18.    ip admission admission-name


19.    exit


20.    ip http server


21.    end

Device> enable

Device# configure terminal

Device(config)# aaa new-model

Device(config)# ldap server server1

Device(config-ldap-server)# ipv4 10.1.1.1

Device(config-ldap-server)# bind authenticate root-dn “cn=administrator,cn=users,dc=nac-blr2,dc=example,dc=com password”

Device(config-ldap-server)#  base-dn "dc=sns,dc=example,dc=com"

Device(config-ldap-server)# authentication bind-first

Device(config-ldap-server)# exit

Device(config)# ldap attribute-map map1

Device(config-attr-map)# map type department hr-group

Device(config-attr-map)# exit

Device(config)# aaa group server ldap name1

Device(config)# aaa authentication login userauthen

Device(config)# ip admission webauth

Device(config)# ip admission virtual-ip 10.2.2.2 virtual-host webproxy

Device(config)# interface gigabitethernet 0/0

Device(config-if)# ip admission webproxy

Device(config-if)# exit

Device(config)# ip http server

Device(config)# end

An Integrated Services Routers Generation 2 (ISR G2) that uses Windows NT LAN Manager (NTLM) to authenticate users tries to retrieve user credentials transparently from the client application without prompting users for authentication. If the client application cannot send user credentials transparently, then the ISR G2 prompts users to enter their username and password.

During NTLM authentication, an ISR G2 router redirects the client browser from the originally requested URL to a virtual proxy URL (either by using the configured IP address or hostname) configured on the ISR G2 router. After the browser redirects users to the virtual proxy URL, the users are prompted for authentication credentials. Successfully authenticated users are redirected to the requested URL.

Users are transparently authenticated by using NTLM when they access the web using a web browsers on the Windows operating system. For example, users are transparently authenticated through Microsoft Internet Explorer, Mozilla Firefox, and Google Chrome on Windows; however, the users are prompted for authentication credentials when using Apple Safari on an Apple Macintosh or Opera on any operating system.

To ensure that users are transparently authenticated using Microsoft Internet Explorer, Mozilla Firefox, and Chrome on the Windows operating system, perform the following steps:

1. Define a virtual proxy URL on the ISR G2 router using the ip admission command.

   ip admission virtual-ip 10.1.1.1 virtual-host webproxy
   
   

   Note	You can specify a single-word hostname as the virtual proxy hostname. The virtual proxy IP address must not be used by any other device or configured on the ISR G2 router.

2. Configure the third-party authentication software to transparently authenticate users by using the virtual proxy URL.
   • If you are using Microsoft Internet Explorer or Google Chrome, perform the following step:
     • If a virtual proxy hostname is defined, create a Domain Name System (DNS) record that resolves the virtual proxy hostname to the virtual proxy IP address specified in Step 1 (10.1.1.1). Microsoft Internet Explorer and Google Chrome consider a single word hostname as a local intranet server.
   • Microsoft Internet Explorer: Add the virtual proxy URL to the Microsoft Internet Explorer Local Intranet Zone. If only the virtual proxy IP address is defined, add the IP address (for example, http://10.1.1.1) to the Local Intranet Zone. If the virtual proxy hostname is defined, add it (for example, http://webproxy) to the Local Intranet Zone. For more information on adding a URL to the Internet Explorer Local Intranet Zone, see the Internet Explorer documentation.
   • Mozilla Firefox: Edit the Mozilla Firefox preferences that determines the sites that are automatically authenticated by using NTLM and add the virtual proxy URL configured in Step 1. The “network.automatic-ntlm-auth.trusted-uris” is the configuration setting that you have to edit. For more information on editing the Firefox configuration, see the Mozilla Firefox documentation.

Use network/IP-based authentication or browser-based authentication bypass to disable the authentication to users.

To configure Cisco Integrated Services Routers Generation 2 (ISRvG2) to bypass authentication for certain subnets and users, you must either know the IP addresses of the users you do want to authenticate, or the IP addresses of users you do not want to authenticate. Create an access control list (ACL) that permits users who are authenticated and denies users who bypasses authentication access to the network. The ACL rule must associated with the ip admission command.

ip access-list extended authenticationACL  
 permit ip 10.0.0.0 0.0.0.255 any any  !! users in this IP range will be asked to authenticate first. everyone else bypasses authentication [implicit deny for all others]
!
ip admission name ntlm-rule ntlm list authenticationACL

ip access-list extended authenticationACL  
 deny ip 10.0.0.0 0.0.0.255 any any  !! users in this IP range will be NOT be asked to authenticate. everyone else must authenticate first
 permit ip any any  
!
ip admission name ntlm-rule ntlm list authenticationACL

Note

This configuration is mostly used only in proof-of-concept or pilot phases where only a subset of users access Cisco Cloud Web Security. For production deployments, typically all corporate users are asked for authentication. For guest users, it is recommended to have a separate VLAN or a network that does not apply authentication. The bypass authentication configuration should only be used if a separate guest VLAN/network is not possible.

Transparent authentication can be done through NTLM authentication. However, some web browsers that do not support transparent NTLM authentication, such as Mozilla Firefox or Apple Safari, will use authentication prompts.

The Browser-Based Authentication Bypass features uses the user agent string sent by the web browser to bypass authentication. A list of user agent strings can be configured on the web browser. Before the authentication, the Cisco Integrated Services Routers Generation 2 (ISR G2) checks if the user agent string from a user’s device matches the configured list. If there is a match, authentication is bypassed, and the user can access the Internet with guest Cloud Web Security policies. If there is no match, user authentication is required. Web browsers that support transparent NTLM authentication, the authentication happens in the background, and users are not prompted for credentials.

The ISR G2 router does a match on the user agent string configured on the router with the user agent string sent by the web browser. Web browsers may change the user agent string that is used to identify the browser. A best practice is for the Network administrators to periodically update the list of user agent strings on the ISR G2 router. To find the user agent string that your web browser is sending, go to http://whatsmyuseragent.com. A list of user agent strings is also available at http://techpatterns.com/forums/about304.html

A sample user agent string for an iPad 3 would be the following: “Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3”

Mobile =
iphone|ipod|android|blackberry|opera|mini|windows\sce|palm|smartphone|iemobile
 Tablet =
ipad|android|android|xoom|sch-i800|playbook|tablet|kindle 

parameter-map type regex byod
 pattern .*iPad*
 pattern .*andriod*
 pattern .*kindle*

If a user fails authentication, that user is authenticated as a guest user by using the configured default guest policy; however the session state will show SERVICE_DENIED. The session will remain in SERVICE_DENIED state for a default of 2 minutes, after which the session is moved to the initialized (INIT) state and the user will be prompted for credentials.

ip admission watch-list enable
ip admission watch-list expiry-time 1440

We recommend not to set the watch-list expiry timer to a very high value so that users are not prompted for credentials frequently. Setting zero (time of forever) is also not recommended as the user is never prompted for authentication and will have granular user policies applied.

Domain users who use transparent Windows NT Lan Manager (NTLM) authentication with supported browsers cannot login to the domain with invalid credentials. Because the device/domain will not let a user login to a network with invalid credentials, the domain will always have the correct username and user group, which ensures that the user always receives the granular user policies defined in the Cloud Web Security portal. If the password of a user expires, the user must log off and relogin to the domain with the new password.

The default guest access policy is available to users who use non-transparent NTLM authentication methods and fail authentication.

The following users are considered as non-domain users:

• Domain users who do not use either Microsoft Internet Explorer or Google Chrome (These web browsers supports transparent NTLM by default.).
• A user who locally logs into a device (for example, workgroup machines that support local sign-on).
• Guest users

During authentication, non-domain users must specify the domain name (cisco\user1) and the password. If a user enters only the username and password, the client PC considers the hostname/computer name as the domain name and the user may not be authenticated, even when proper credentials were given.

For example, a corporate user User1 who uses a Mozilla Firefox web browser (that does not support transparent NTLM authentication by default) belongs to the “humanresources” domain. User1 must log into the domain with the username “humanresources\user1” to be recognized as a corporate user who has access to corporate policies configured on Cloud Web Security. If User1 logs in as just "user1", the user is authenticated as a guest user and only the default policy is applied.