Guest

Support

Administration

Hierarchical Navigation

  • Viewing Options

  • PDF (1.3 MB)
  • Feedback
Administration

Table Of Contents

Administration

Overview

Account Management

Editing Your Account Details

Changing Your Password

Changing the Scanned IP Addresses

Downloading a List of Dynamic DNS Addresses

Managing Admin Users

Creating a New Admin User

Editing an Admin User

Removing an Admin User

User Management

Managing Groups

Adding a Directory Group

Creating a Custom Group

Editing a Group

Removing a Group

Managing Users

Importing a User List

Removing Users

Hosted Configuration Files

Uploading a New Configuration File

Managing Configuration Files

Removing Configuration Files

Authentication

Company Keys

Group Keys

Bulk Group Management

User Keys

Bulk User Management

Setting the User Email Message

Clientless Authentication

LDAP Authentication

Understanding How Authentication Works

Configuring Authentication Realms

Obtaining Certificates

Managing Certificates

Authenticating Users

Working with Failed Authentication

Working with Authentication Realms

Creating an Authentication Realm

Managing an Authentication Realm

Cisco Cloud Web Security Behavior With Multiple Realms

Testing Authentication Settings

Setting the Cookie Duration

Downloading Audit Reports

Configuring Roaming

Configuring the User Authentication Page

Dictionaries and Databases

Managing Dictionaries

Creating a New Dictionary

Editing a Dictionary

Managing File Information Databases

Creating a New Database

Editing a Database

Removing a Database

Auditing ScanCenter Use

Email Alerts

Access Audits

Activity Audits

Secure Traffic Inspection

Legal Disclaimer

Secure Sockets Layer Certificates

Creating a Certificate in ScanCenter

Using an Externally Generated Certificate

Editing a Certificate Description

Removing a Certificate

Filters

Creating a Filter

Editing a Filter

Removing a Filter

Policy

Creating a Rule

Editing a Rule

Removing a Rule


Administration


This chapter contains the following topics:

Overview

Account Management

User Management

Hosted Configuration Files

Authentication

Dictionaries and Databases

Auditing ScanCenter Use

Secure Traffic Inspection

Overview

The administration tasks in ScanCenter are accessed via the Admin tab. From there you can:

Change your account details and password.

Update the IP addresses scanned by Cisco Cloud Web Security.

Verify dynamic DNS.

Manage admin users.

Manage company, group, and user keys.

Configure email messages.

Manage users and groups.

Host configuration files.

Create or import dictionaries and file information databases.

Generate audits.

Manage HTTPS certificates, filters, and policy.

Account Management

The account management area of ScanCenter enables you to:

Edit your account details.

Change your password.

Update the scanned IP addresses.

Download a list of registered dynamic DNS addresses.

Manage admin users.

Editing Your Account Details

To edit your account details:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Your Account menu, click Account Details to display the Account Details page.

Step 3 In the Title list, click your title. The available options are:

Mr

Ms

Miss

Mrs

Dr

Other

Step 4 Enter your First name.

Step 5 Enter your Last name.

Step 6 Enter your Job Title.

Step 7 Enter your organization's name in the Company name box.

Step 8 Enter the URL of your organization's website in the Website box.

Step 9 Enter your telephone number in the Telephone box.

Step 10 Enter your facsimile number in the Fax box.

Step 11 Enter your mobile telephone number in the Mobile Phone box.

Step 12 Enter your organization's address, using up to three lines, in the Address boxes.

Step 13 Enter your postal code in the ZIP/Post Code box.

Step 14 In the Country list, click your country.

Step 15 In the Timezone list, click your time zone. Alternatively, click UTC.

Step 16 Click Save to save your changes. Alternatively, navigate to another page to abandon your

changes.


Changing Your Password

When a new user is created, or an administrator resets the password of a user who has forgotten their password, a temporary password is sent to the email address associated with that user.

Passwords expire after a set period of time, 90 days by default. This is configured for you by customer support and you can request that passwords do not expire. If your password has expired, you will be prompted to change your password before you can access any other areas of ScanCenter. Your can also choose to change your password at any time.

Your new password cannot be the same as any of your five previous passwords and it must contain:

at least 8 characters

one or more lower case letters

one or more upper case letters

one or more digits

one or more of the following special characters: @ # $ % ^ & - = _ ! : ?

To change your password:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Your Account menu, click Change Password to display the Change Password page.

Step 3 Enter the new password in the Password and Confirm password boxes. As you type the password the red crosses will change to green ticks as each criterion is met.

Step 4 When you have entered a valid password, click Save to change your password. Alternatively, navigate away from the page to abandon your changes.



Note Clicking Reset does not reset your password. It only clears the boxes.


Changing the Scanned IP Addresses

To request changes to the IP addresses scanned by Cisco Cloud Web Security.


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Your Account menu, click Scanning IPs to display the Request Scanning Ips page.

Step 3 Enter the IP addresses with their net masks in the box.

Step 4 Click Save to save your changes. Alternatively, navigate away from the page to abandon your changes.



Note IP addresses will normally be updated within one business day. A confirmation email will be sent when the changes are complete. If your change is urgent, email support for immediate action.


Downloading a List of Dynamic DNS Addresses

Typically, accessing the proxy servers from a dynamic IP address requires the use of Connector configured with group or company authentication keys.

The majority of Cisco and third-party routers can issue Dynamic DNS (DDNS) requests. DDNS enables the router to communicate with an external server to send its current external (WAN) IP address, so that other devices can connect to it using a static name resolved through normal DNS requests. The DDNS server is automatically updated if the external IP address changes. A DDNS update comprises a user name, password, and host name, which can be used by the service to authenticate these devices.

It is also possible to perform DDNS registration with client-side software.


Note For transparent deployment, DDNS routers must support the ability to port forward traffic to the proxy servers. Alternatively, browser proxy settings (PAC, WPAD, and so on) may be used if required.


Cisco provides a proprietary DDNS service as a means to verify dynamic IP addresses against its authentication database. Any router which has a `custom' option for DDNS should be able to use this functionality.

For detailed instructions on configuring your router, refer to your router documentation.

To enable DDNS support:


Step 1 If you have not already done so, create a group authentication key in ScanCenter.

Step 2 Create a `custom' DDNS on your router.

Step 3 Set the server to ddns.scansafe.net.

Step 4 Set a unique identifier for the user name or equivalent parameter.

Step 5 Set the password to the group authentication key you previously created.

Step 6 Set the host name to one of the domains associated with your ScanCenter account, typically your email domain.

Step 7 Set the URL to /dir/register?hostname=.


To verify your routers are working correctly you may want to view a list of currently registered dynamic DNS addresses. The list is provided as a CSV file containing the current IP address for each device. It does not contain a history of device IP addresses. To download the list:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Your Account menu, click Dynamic DNS to display the Dynamic DNS page.

Step 3 Click Generate Audit to download a comma-separated list of the dynamic IP addresses registered with your account. The list contains user names, IP addresses, host names, and the date of the last update.


Managing Admin Users

The Admin Users page enables you to create, edit and remove admin users. The access rights of an admin user are determined by the role assigned to that user. The available roles are:

Full Access

Read Only

Report Admin

Admin with no Forensic Role

HR

Full Read Only

See Role Permissions for details of the access rights associated with each role.

To manage admin users:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Your Account menu, click Admin Users to display the Admin Users page.


Creating a New Admin User

To create a new admin user:


Step 1 Click Create to display the Create Admin User page.

Step 2 Enter the email address of the admin user in the Email Login box. This will be the user name.

Step 3 In the Role list, click a role.

Step 4 Click Save to create the admin user. Alternatively, navigate away from the page to abandon your changes.


Note You must activate the admin user to enable them to log in. A temporary password will be generated and emailed to the user on first activation.



Editing an Admin User

To activate an inactive admin user, click Activate.

To deactivate an active admin user, click Deactivate.

To reset the password of an admin user, click Reset.

To unlock an admin user who has been locked out after multiple failed log-in attempts, click Unlock.


Note The organization super user account will never be locked. In the even of multiple failed log-in attempts, the password is reset and a temporary password sent to the email address associated with the account.


To change the role of an admin user:


Step 1 Click the require role in the Role list.

Step 2 Click Save. Alternatively, navigate away from the page to abandon your changes.


Changing Admin User Email Credentials

To change an admin user's email password:


Step 1 Click Change to display the Change Password page.

Step 2 Enter the new password in the Password and Confirm password boxes, ensuring the password meets the acceptable password criteria (see Changing Your Password).

Step 3 Click Save to change the password. Alternatively, navigate away from the page to abandon your changes.


Restricting Access to Reports

You can restrict the data that an admin user is able to view when running reports. By default there are no restrictions in place.

To exclude attributes from reports run by a specific admin user:


Step 1 Click Change to display the list of attributes.

Step 2 Clear the check boxes of the attributes that you do not want to be viewed by the admin user.

Step 3 Add any filters you want to apply to online reports viewed by the admin user. For more information about filters see Filtering Reports.


Note Filters will not be applied to scheduled reports. Filter sets cannot be applied to admin users.


Step 4 Click Save.


Removing an Admin User

To permanently remove an admin user:


Step 1 Select the Delete check box for the required user. You can select multiple admin users to be removed.

Step 2 Click Delete. You will be prompted to confirm your action.



Caution When an admin user has been removed it cannot be recovered. Instead, you must create a new admin user.

User Management

The user management area of ScanCenter enables you to create groups, edit groups and users, and import users, dictionaries, and file information. When using Cisco Integrated Services Router Web Security, Cisco AnyConnect Secure Mobility Web Security, or Connector, groups enable you to implement role based Web access policy.

Groups are evaluated as follows:

1. If Connector is configured to send internal group details, a check is made to see if the supplied group name matches any groups configured in ScanCenter. If a match exists the matched group is selected. If the user belongs to more than one group then any group containing the string 'webscan' will be given priority.

2. If the user name is matched but no group is matched, a check is made to see if the user belongs to an existing group.

3. If the group cannot be matched but the internal IP addresses is present, a check is made to see if the IP address matches a group IP expression.

4. If the group cannot be matched, a check is made to see if the external IP address matches a group IP expression.

5. If the group still cannot be matched, the default group is used.

Managing Groups

Two types of groups are supported in ScanCenter; directory groups and custom groups. Directory groups can be Windows Active Directory groups or LDAP groups. Custom groups enable you to create a group containing any users, regardless of their active directory or LDAP group.

To manage groups:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Management menu, click Groups to display the Manage Groups page.

Adding a Directory Group

Before you can add a directory group you must first create the Windows Active Directory or LDAP group on your server.

To add a directory group:


Step 1 Click Add Directory Group to display the Add New Directory Group page.

Step 2 Enter the Active Directory or LDAP group in the box.

Step 3 Click Save to save your changes. Alternatively, click Cancel to abandon your changes.


Creating a Custom Group

To create a custom group:


Step 1 Click Add Custom Group to display the Add New Custom Group page.

Step 2 Enter a name for the group in the box.

Step 3 Click Save to return to the Manage Groups page. Alternatively, click Cancel to abandon creating the group.

Step 4 Edit the group.


Editing a Group

To edit a group:


Step 1 In the Manage Groups page, click the group name hyperlink to display the Edit Custom Group page.

Step 2 Enter a new name for the group in the box and click Save. Alternatively, accept the existing name.

Step 3 Enter the required IP expressions in the box, for example 192.168.0.0/255.255.0.0, and click Save.

Step 4 Enter the required Active Directory or LDAP users in the box and click Save.


You can click Done to return to the Manage Groups page.

Removing a Group

In the Manage Groups page, select the check box of the group to be removed then click Delete Selected to permanently remove the group. You will be prompted to confirm your action. You can select multiple groups to be removed. You cannot remove a group that is associated with a policy.


Caution When a custom group has been removed it cannot be recovered. Instead you must create the custom group again.

Managing Users

Users cannot be added individually. They must be imported from a text file containing a comma-separated list in the form <group>, <user name>, <email address> for each user. When the list has been imported individual users can be removed. Users cannot be edited. If you need to make changes you should remove the existing user and import a new user with the appropriate details.

Importing a User List

To import a user list:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Management menu, click Import User List to display the Import User List page.

Step 3 Click Browse then navigate to the file.

Step 4 Click Import. You will be notified if the file cannot be validated.

Step 5 If the list is correct, click Confirm. You will be notified if the import was successful. Alternatively, click Back to step 1, edit the file and repeat the import process.


When you have imported a user list you can click Back to step 1, to import additional user lists. Alternatively, if you wait 10 seconds you will be taken back.

Removing Users

To remove a user:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Management menu, click Users to display the Manage Users page.

Step 3 Select the check box of the user to be removed.

Step 4 Click Delete Selected. You will be prompted to confirm your action.


You can select multiple users to be removed.

You can search for a user by entering all or part of the user name in the Search box and clicking Search. To display the full list again click Reload list.

Hosted Configuration Files

The hosted configuration area of ScanCenter enables you upload PAC (proxy auto-config) files, Cisco AnyConnect Secure Mobility Client Web Security config, and other configuration files to ScanCenter, and manage those files. You must test PAC files to ensure they function correctly before uploading. For further information about PAC files, refer to the Connector Administrator Guide appendix "Proxy Auto-Config Files". For information about Web Security, refer to the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.0 (or later).


Note You must upload the unscrambled version of the AnyConnect config file. The file will be scrambled before it is served to your users but you will still be able to download the plain text version.


To view your hosted configuration files:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Management menu, click Hosted Config to display the Hosted Config page.

The description, type, URL or associated group key, status, creation and modification dates are displayed.


Uploading a New Configuration File

To upload a file:


Step 1 Click the Upload Config tab to display the Upload Config page.

Step 2 Click the required file type in the Resource Format box.

Step 3 Enter a unique Description in the box.

Step 4 Click Browse to select a file to upload. There is a maximum file size limit of 500 kilobytes.

Step 5 Click Upload to upload the file.


Managing Configuration Files

When you have uploaded a file you can activate or deactivate it, upload newer versions, and delete versions.

To manage a configuration file:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Management menu, click Hosted Config to display the Hosted Config page.

Step 3 Click the Edit icon.


To activate a configuration file, select the Active check box, then click Save. Alternatively, clear the check box to deactivate the configuration file, then click Save.

When there are two or more versions of a file, click Default to enable a specific version, then click Save.

To remove a specific version of a file, click Delete.


Caution When you click Delete the file will be deleted immediately unless it is the default version. You will not be asked to confirm your action.

Removing Configuration Files

Only configuration files that are inactive can be completely removed.

To remove an inactive configuration file:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Management menu, click Hosted Config to display the Hosted Config page.

Step 3 Click the Delete icon.


Caution Files are removed immediately. You will not be asked to confirm your actions.

Authentication

Authentication is the act of confirming the identity of a user. ScanCenter enables you to control access to the Web for each user or a group of users. This enables you to enforce your organization's policies and comply with regulations. ScanCenter can perform authentication without the need for client software, but you can also generate authentication keys for your organization, groups, and individual users for use with Cisco Integrated Services Router Web Security, Cisco AnyConnect Secure Mobility Web Security, and Connector. For further information refer to the relevant administrator guide. Before creating group or user keys you should set up your groups and users. See User Management.

Company Keys

The company key is used for organization-wide authentication.

To view the company key:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Authentication menu, click Company Key to display the Company Key page.


To deactivate an active key, click Deactivate. To activate a deactivated key, click Activate.

To permanently remove a key click Revoke.


Note Revoking or deactivating a key will prevent users from being able to authenticate with Cisco Cloud Web Security. When you have revoked a key you must generate a new key.


To generate a company key:


Step 1 Click Create new.

The Authentication Keys page is displayed.

Step 2 Copy the authentication key to a secure location.


Caution For security reasons, the authentication key is displayed only once. If you lose the key you must revoke the existing key and create a new key.

Group Keys

Group keys are used for authenticating groups of users. Before creating group keys you should ensure you have created the required groups. See User Management.

To view the group keys:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Authentication menu, click Group Keys to display the Group Authentication Keys page.


To create and activate a key:


Step 1 Click Create Key. The Authentication Keys page is displayed.

Step 2 Enter a group email address in the Send via email to the user box.

Step 3 Click a domain in the list.

Step 4 Click Send to send an email to members of the group.


To deactivate an active key, click Deactivate.

To activate a deactivated key, click Activate.

You can search for a group by entering all or part of the group name in the Search box and clicking Search. To display the full list again click Reload list.

Bulk Group Management

You can activate, deactivate and revoke group keys in bulk.

Click the check box to select a group with a key. You can click Select All to select the check box of all groups with keys or Deselect All to clear all check boxes.

Click Activate Selected to activate all the selected group keys.

Click Deactivate Selected to deactivate all the selected group keys.

Click Revoke Selected to permanently remove all the selected group keys.

User Keys

User keys are used for authenticating individual users. Before creating user keys you should ensure you have imported the required users. See User Management.


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Authentication menu, click User Keys to display the User Authentication Keys page.


To create and activate a key, click Create Key. The Authentication Keys page is displayed. Enter a user email address in the Send via email to the user box, click a domain in the list and click Send to send an email to the user.

To deactivate an active key, click Deactivate.

To activate a deactivated key, click Activate.

To enable mobile functionality for a user, select the Mobile check box. Alternatively, clear the check box to switch off mobile functionality. You will be prompted to confirm your action.

You can search for a user by entering all or part of the user name in the Search box and clicking Search. To display the full list again click Reload list.

Bulk User Management

You can activate, deactivate and revoke user keys in bulk.

Click the check box to select a user with a key. You can click Select All to select the check box of all users with keys or Deselect All to clear all check boxes.

Click Activate Selected to activate all the selected user keys.

Click Deactivate Selected to deactivate all the selected user keys.

Click Revoke Selected to delete all the selected user keys.

Setting the User Email Message

To set the email message that is sent to a user with an authentication key:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Authentication menu, click Email Messages to display the Email Messages page.

Step 3 Edit the message in the first box. The text [username] and [company_name] will be replaced with the user's name and your organization's name.

Step 4 Edit the signature in the second box.

Step 5 Click Submit to save your changes. Alternatively, navigate away from the page to abandon your changes.


You can click Reset to default message to restore the default message.

Clientless Authentication

When you enable clientless authentication, Cisco Cloud Web Security authenticates users before allowing them to connect to a destination server. This is achieved by creating an Authenticate rule in ScanCenter for the user or group. For roaming users this also requires configuring their browser to send traffic to the Cisco Cloud Web Security proxy server, typically using a PAC file.

ScanCenter supports the Lightweight Directory Access Protocol (LDAP) with standard and secure LDAP authentication.

To enable authentication, you must create at least one authentication realm. An authentication realm is a set of authentication servers (or a single server) supporting a single authentication protocol with a particular configuration.

When you create more than one realm, your users will be able to select the realm they wish to authenticate with at the login screen.

LDAP Authentication

The Lightweight Directory Access Protocol (LDAP) server database is a repository for employee directories. These directories include the names of employees along with various types of personal data such as a phone number, email address, and other information that is exclusive to the individual employee. The LDAP database is composed of objects containing attributes and values. Each object name is referred to as a Distinguished Name (DN). The location on the LDAP server where a search begins is called the Base Distinguished Name or base DN.

ScanCenter supports standard LDAP server authentication, Secure LDAP authentication, and StartTLS. Support for LDAP enables established installations to continue using their LDAP server database to authenticate users. For Secure LDAP, ScanCenter supports LDAP connections over TLS. The TLS protocol is an industry standard for ensuring confidentiality. TLS uses key encryption algorithms along with Certificate Authority (CA) signed certificates to provide the LDAP servers a way to verify the identity of the appliance. StartTLS uses certificates to identify the LDAP server before a connection is created.

Understanding How Authentication Works

To authenticate users who access the Web, Cisco Cloud Web Security connects to an external authentication server. The authentication server contains a list of users and their corresponding passwords and it organizes the users into a hierarchy. For users on the network to successfully authenticate, they must provide valid authentication credentials (user name and password as stored in the authentication server).

When users access the Web through Cisco Cloud Web Security, the service communicates with both the client and the authentication server to authenticate the user and process the request. Cisco Cloud Web Security supports the following authentication protocols:

Lightweight Directory Access Protocol (LDAP). Cisco Cloud Web Security uses the LDAP Bind operation to query an LDAP-compatible authentication server. Cisco Cloud Web Security supports standard LDAP server authentication and Secure LDAP (LDAPS) authentication, which requires a server certificate on the LDAP server.

StartTLS. If your LDAP server supports the StartTLS extension, Cisco Cloud Web Security can establish Transport Layer Security with the sever prior to authentication. StartTLS requires a server certificate on the LDAP server.

In addition to the preceding protocols, Cisco Cloud Web Security supports basic authentication. Cisco Cloud Web Security allows a client application to provide authentication credentials in the form of a user name and password when it makes a request.

Configuring Authentication Realms

Authentication realms reduce the changes required to your network and simplify provisioning users with Cisco Cloud Web Security.

From this area of ScanCenter you can create, edit, and remove authentication realms and manage certificates (used by secure protocols).

Before configuring an authentication realm you will require:

Server address — The full address to your LDAP server; host, port, and protocol.

(Optional) Certificate — The certificate to be used if you will be using a secure protocol, for example LDAPS.

LDAP access — ScanCenter requires at least read-only access to your LDAP servers. The ports you need to open, and the IP addresses you must enable access for, can be found in your provisioning email.

Search Base — The location in the LDAP tree to start searching for users, and other related information.


Note You must import certificates before creating an authentication realm that requires a secure protocol.


Obtaining Certificates

To obtain a digital certificate for use with LDAP, you must follow these steps:


Step 1 Generate a public-private key pair.

Step 2 Generate a Certificate Signing Request (CSR).

Step 3 Self-sign the certificate. Alternatively, contact a certificate authority (CA) to sign the certificate.

The certificate you upload must use the X.509 standard and you must install the matching private key on your LDAP server.


ScanCenter cannot generate Certificate Signing Requests (CSRs) for this purpose. Therefore, to have a certificate created for the LDAP server, you must issue the signing request from another system. Save the key from this system because you will need to install it on the LDAP server later.

On Windows Server you can use Microsoft Certificate Services to generate a suitable certificate. For information on using Microsoft Certificate Services refer to your vendor documentation. Alternatively, you can use any UNIX machine with a recent version of OpenSSL installed. Use the guidelines at the following location for information on generating a CSR using OpenSSL:

http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28

Typically, LDAP servers use self-signed certificates. Use the guidelines at the following location for information on creating and using your own certificate authority (CA)

http://www.modssl.org/docs/2.8/ssl_faq.html#cert-ownca


Note Tools for generating and signing your own certificate are included with OpenSSL, free software from http://www.openssl.org.


Alternatively, when the CSR has been generated, submit it to a certificate authority (CA). The CA will return the certificate in PEM format.

If you are acquiring a certificate for the first time, search the Internet for "certificate authority services SSL server certificates," and choose the service that best meets the needs of your organization. Follow the service's instructions for obtaining an SSL certificate.

Managing Certificates

To upload an LDAP certificate:


Step 1 Click the Admin tab to display the Authentication menu, then click Management to display the Upload LDAP Certificates panel.

Step 2 Enter a unique Certificate name.

Step 3 Click Browse then navigate to and select the required certificate.

Step 4 Click Add to upload the certificate.


Click the Remove icon to remove a certificate.

Authenticating Users

When users access the Web through Cisco Cloud Web Security, they may be prompted to enter a user name and password. Cisco Cloud Web Security requires authentication credentials for some users depending on the configured Identity and Access Policy groups. Users should enter the user name and password of the credentials recognized by your organization's authentication server.


Note When enabling authentication with an LDAP authentication realm, ensure users do not enter the Windows domain name.


Working with Failed Authentication

Sometimes users are blocked from the Web due to authentication failure. The following list describes reasons for authentication failure and remedial actions you can take:

Client application cannot perform authentication. Some clients cannot perform authentication or cannot perform the type of authentication that is required. If a client application causes authentication to fail, you can create a Web Filtering rule to allow the client to connect. See [WEB FILTERING]

Authentication server is unavailable. An authentication server may be unavailable if the network connection is broken or if the server is experiencing a problem. You can set the desired behavior in the Failover options to block the user, use cached credentials, or apply the default policy.

Invalid credentials. When a client passes invalid authentication credentials, Cisco Cloud Web Security continually requests valid credentials, essentially blocking access to the Web by default.

Working with Authentication Realms

An authentication realm is a set of authentication servers (or a single server) supporting a single authentication protocol with a particular configuration. Each server in the realm shares the same logical database; any server will return the same results for a given user. Typically, a realm will have a one to one match with a Windows domain. The realm is the context in which user names, group names, and so on should be unique.

You can perform any of the following tasks when configuring authentication:

Include one or more authentication servers in a realm.

Create one or more LDAP realms.


Note It is also possible to include an authentication server in multiple realms, although typically this is not required unless you use an Active Directory Global Catalog which stores a limited read-only copy of data for multiple domains or realms.


You create, edit, and remove authentication realms on the Admin > Authentication > Management page under the Authentication Realms section.

Creating an Authentication Realm

To create an authentication realm:


Step 1 Click the Admin tab to display the Authentication menu, then click Management to display the Authentication Realms panel.

Step 2 Click Add to display the Network connection panel.

Step 3 Enter a unique Realm name in the box.

Step 4 For each server you want to add to the realm:

a. Enter an IP address in IPv4 format, or a hostname in the Host name box.

b. In the Protocol list, click the required protocol; LDAP, StartTLS, or SSL (LDAPS).

c. Enter a Port in the box. The default for LDAP and StartTLS is 389. The default for LDAPS is 636.

d. If you are using a secure protocol, in the Certificate list, select the certificate you previously imported.

e. Click Check connection.

You can click Add another server to add as many servers as you want. You can click Remove server to remove any unwanted servers.

Step 5 When a connection has been successfully made, if your LDAP server accepts anonymous queries, select the Server Accepts Anonymous Queries check box. Alternatively enter the LDAP server's distinguished name in the Bind DN box, and enter the password in the Password box.

Step 6 Click Check Authentication.

Step 7 Accept or change the Search Base.

Step 8 In the Search Attribute list, click the attribute that contains the user name. This can be cn, uid, or sAMAccountName. Alternatively, select custom and enter an attribute in the box.

Step 9 In the User Filter Query list, click a query to exclude non-user LDAP entries. This can be None or (objectClass=person). Alternatively, select custom and enter a query in the box.

Step 10 Accept or enter a Subject Attribute. This box must not be left empty.

Step 11 To locate users by attribute, click Group Member Of Attribute. Accept the memberOf attribute or click custom and enter an attribute in the box. Alternatively, to locate users by group, click Group Members Attribute. Accept the users attribute or click custom and enter an attribute in the box.

Step 12 Click Browse to populate the Exclude the following groups list.

Select the element's check box to include an element. Elements may include:

users

groups

organizational units (OUs)

computers

folders

miscellaneous elements

Click the expand icon () to expand or collapse an element.

Click the filter icon () to add a filter to an element.

Click the filter enabled icon () to edit or remove a filter.

Step 13 Click Select to add the selected elements. Alternatively, click Cancel to abandon your selection.

Step 14 Click Browse to populate the Use the following groups list.

Step 15 Click Select to add the selected elements. Alternatively, click Cancel to abandon your selection.

Step 16 (Optional) Click Advanced settings to display the additional settings:

a. Enter number of nodes to traverse in the Nested Group Depth box.

b. Enter the maximum number of groups to search in the Maximum Groups box.

Step 17 In the Groups Display list, click WinNT groups or LDAP standard to determine how the groups will be displayed.

Step 18 Enter a user name in the Check Sample User box and click Check LDAP to verify your settings.

Step 19 Click the required failover option; Block user, Use cached credentials, or Grant default policy.

Step 20 (Optional) To exclude users from authentication:

a. In the Custom Attributes pane, enter an LDAP Attribute to match.

b. In the Rule Match list, click an operator and enter a value in the box. The available operators are:

Equals

Less Than

Regex (for details on constructing valid regular expressions contact customer support)

Is True

Is False

c. In the Action list click Block User.

d. Click Add.

You can click the Remove icon to remove the user filter.

Step 21 (Optional) To add users to a group for the duration of an authenticated session:

a. In the Custom Attributes pane, enter an LDAP Attribute to match.

b. In the Rule Match list, click an operator and enter a value in the box. The available operators are:

Equals

Less Than

Regex (for details on constructing valid regular expressions contact customer support)

Is True

Is False

c. In the Action list click Add to Group.

d. Click Add.

You can click the Remove icon to remove the group settings.

Step 22 When you have finished configuring the authentication realm, click Apply settings. Alternatively, navigate to another page to abandon your changes.


Managing an Authentication Realm

To manage an existing authentication realm, click the Admin tab to display the Authentication menu, then click Management to display the Authentication Realms panel.

To activate an inactive realm, select the Active check box and click Apply settings.

To deactivate an active realm, clear the Active check box and click Apply settings.

To download an audit of a realm, click the CSV icon.

To remove a realm, click the Remove icon.

To change a realm, click the Edit icon.

Cisco Cloud Web Security Behavior With Multiple Realms

You can configure Cisco Cloud Web Security to provide users with a choice of authentication realms which may include multiple servers with different security protocols.

For example, you may want to configure multiple realms if your organization acquires another organization that has its own authentication server using the same or a different security protocol. That way, you can create one policy for all users.

Testing Authentication Settings

When you create or edit an authentication realm, you enter a lot of configuration settings to connect to the authentication server. The information you enter is validated at each stage of the process to ensure the correct information has been entered.


Caution If you make configuration changes to an LDAP server, you must edit your authentication realms in ScanCenter to match the changes or your users will not be able to authenticate.

Testing Process

When you test authentication settings, ScanCenter first verifies that the settings you entered for the realm are in valid formats. For example, if a field requires a text string and it currently contains a numeric value, ScanCenter informs you of that error.

If all fields contain valid values, ScanCenter performs different steps, depending on the security protocol. If the realm contains multiple authentication servers, ScanCenter goes through the testing process for each server in turn.

LDAP Testing

ScanCenter performs the following steps when testing LDAP authentication settings:

1. It ensures that the LDAP server is listening on the specified LDAP port.

2. If Secure LDAP is selected, ScanCenter ensures the LDAP server supports Secure LDAP.

3. If StartTLS is selected, ScanCenter ensures the LDAP server supports the StartTLS extension.

4. If the realm includes bind parameters, ScanCenter validates them by attempting to authenticate with the LDAP server.

Setting the Cookie Duration

Clientless authentication uses cookies stored in the browser. By default, cookies persist for the duration of the browser session. Enabling persistent cookies enables the user to close the browser without having to reauthenticate within the time period you choose. To set the time period before reauthentication is required:


Step 1 Click the Admin tab to display the Authentication menu, then click Management to display the Cookie Expiry panel.

Step 2 (Optional) Select the Use Persistent Cookies check box to enable sessions to persist after the browser is closed.

Step 3 Enter the duration, in the format shown in the on-screen example, before group cookies expire in the Group box.

Step 4 Enter the duration, in the format shown in the on-screen example, before user cookies expire in the User box.

Step 5 Enter the duration, in the format shown in the on-screen example, before roaming cookies expire in the Roaming box.

Step 6 Click Apply. Alternatively, navigate away from the page to abandon your changes.


Downloading Audit Reports

To download a clientless authentication audit report::


Step 1 Click the Admin tab to display the Authentication menu, then click Management to display the Download Audit Reports panel.

Step 2 Click a Period the report will cover. The available options are:

Last 5 Minutes

Last Hour

Last Day

Step 3 Click the CSV icon.


Configuring Roaming

To enable roaming users to authenticate with a specific realm, roaming must be enabled for that realm. In addition, there must be an email address associated with the user in thier LDAP entry. This is used to send a one time key to the user when they first attempt to connect to Cloud Web Security. You must also deploy the HTTPS CA certificate to each user's computer.

The first time a roaming user attempts to connect to Cloud Web Security, they will be prompted to enter their email address to retrieve a one time key. If they follow the link in the email they will be presented with a user authentication page. Alternatively, if they enter the One Time Key and Password in the relevant boxes they will be authenticated.

To configure roaming settings:


Step 1 Click the Admin tab to display the Authentication menu, then click Management, then click Configure Roaming to display the Roaming Configuration panel.

Step 2 For each realm that you want to enable roaming users to authenticate with, select the Enable Roaming check box.

Step 3 Enter the LDAP Roaming Group or click Browse and select a group from the LDAP server.

Step 4 Enter the user's LDAP Email Attribute or click Browse and select an attribute from the LDAP server.

Step 5 (Optional) To add additional LDAP attributes, click Add and enter an Attribute name and Attribute description in the boxes. You can click the Remove icon to remove additional attributes.

Step 6 Click Apply settings.


You can click Download to download the HTTPS CA certificate. This must be deployed to user browsers if you want to enable HTTPS inspection.

Configuring the User Authentication Page

Cisco Cloud Web Security displays the User Authentication page when a user that is not already authenticated attempts to connect to the service. To configure the page:


Step 1 Click the Admin tab to display the Authentication menu, then click User Messages to display the User Messages panel.

Step 2 Click Choose File and navigate to an image you want to be displayed on the page. The image can be in PNG, GIF, or JPEG format and must be no larger than 500K. It can be any pixel size you want, but you should use something appropriate for the screen size of your user's devices that will connect to the service.

Step 3 Enter up to 1,000 characters of plain text in the Help text box.

Step 4 Enter the word or phrase you want to use in the User name text box.

Step 5 Enter the word or phrase you want to use in the Password text box.

Step 6 Enter up to 1,000 characters of plain text in the Disclaimer text box.

Step 7 Click Preview to display the User Authentication page.

Step 8 Click Apply settings to make your changes permanent. Alternatively, click Cancel to continue editing the User Authentication page or navigate away from the page to abandon your changes.


Dictionaries and Databases

Dictionaries are used with Outbound Content Control (OCC). You can import dictionaries from a file which can include words and phrases, but not regular expressions or wild cards. Dictionaries can contain a maximum of 1,000 words or phrases. File information databases enable you to block specific files. You can also import databases from a file.

Managing Dictionaries

Click the Admin tab to display the administration menus.

In the Management menu, click Dictionaries to display the Manage Dictionaries page.


Creating a New Dictionary

To create a new dictionary:


Step 1 Enter a name in the Enter new Dictionary name box.

Step 2 Click Add Dictionary.

Step 3 Edit the dictionary.


Editing a Dictionary

Click the dictionary name hyperlink to display the Edit Dictionary page.

To add an individual word or a phrase, enter the text in the Enter the words or phrases below that you wish to block box then click Add.

To remove a word or phrase, click it in the list then click Delete.

You can import words and phrases from a text file. The list must be comma-separated. For example:

the,quick,brown,fox,jumps over the,lazy dog
 
   

To import a comma-separated list of words and phrases:


Step 1 Click Browse then navigate to the file.

Step 2 Click Import.

Step 3 If the list is correct, click Confirm to add the words or phrases and return to the Edit Dictionary page. Alternatively, click Back to step 1, edit the file and repeat the import process.


Removing a Dictionary

To remove a dictionary:


Step 1 In the Manage Dictionaries page, select the check box of the dictionary to be removed.

Step 2 Click Delete Dictionaries. You will be prompted to confirm your action.


You can select multiple dictionaries to be removed.

Managing File Information Databases

To manage file information databases:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Management menu, click File Info DBs to display the Manage File Infos page.

Creating a New Database

To create a new database:


Step 1 Enter a name in the Enter new File Info DB name box.

Step 2 Click Add File Info DB.

Step 3 Edit the database.


Editing a Database

Records are added to a database by importing comma-separated lists of file information. Each entry in the list must include the file name, file size, an MD5 checksum, and an SHA-1 checksum in that order, for example:

1video.avi,37352,d97343b7ef8a00307091c6456b25c84,de9e351ebe13186770f3fc79f45733a6d595e2e1
 
   

On UNIX and UNIX-like systems, OpenSSL can be used to generate the checksum with the following commands:

openssl md5 <filename>
openssl sha1 <filename>
 
   

On Windows, the Microsoft File Checksum Integrity Verifier can be used to generate the checksum with the following commands:

fciv md5 <filename>
fciv sha1 <filename>
 
   

The File Checksum Integrity Verifier can be downloaded from Microsoft's website:

http://search.microsoft.com/results.aspx?q=microsoft+file+checksum+integrity+verifier

To import a list of file information into a database:


Step 1 Click the database name hyperlink.

Step 2 Click Browse then navigate to the file.

Step 3 Click Import. You will be notified if the file cannot be validated.

Step 4 If the list is correct, click Confirm. The imported data is displayed in a table with file name, file size, MD5 and SHA-1 checksum. Alternatively, click Back to step 1, edit the file and repeat the import process.


Removing a Database

To remove a database:


Step 1 In the Manage File Infos page, select the check box of the database to be removed.

Step 2 Click Delete File Infos. You will be prompted to confirm your action.


You can select multiple databases to be removed.

Auditing ScanCenter Use

You can generate access and activity audits for your organization's ScanCenter account. You can also configure email alerts to notify you of failed ScanCenter login attempts. You must have the correct role to be able to perform these tasks. See Role Permissions for more information on roles.

Email Alerts

To configure the email alert sent after a failed login attempt:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Audit menu, click Access Settings to display the Access Settings page.

Step 3 When a user account is locked, following a series of failed login attempts, the user is instructed to send an email to an administrator to unlock their account. Enter the administrate email address to display in the Contact email in the login failure message box. If no address is provided the organization super user's email address is displayed.

Step 4 Select the Enable email alerts check box to send an email whenever there is a failed login attempt.

Step 5 Enter up to five email addresses in the boxes.

Step 6 In the Max frequency box, click the number of email alerts to batch together (1 to 20).

Step 7 In the Period box, click the delay between emails in hours (1 to 24).

Step 8 Click Save to save your changes. Alternatively, navigate away from the page to abandon your changes.


Access Audits

Generating an access audit enables you to see all the login attempts that have taken place in ScanCenter over a period of time, from a day up to a year.

To download an audit as a CSV file:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Audit menu, click Access Audit to display the Access Audit page.

Step 3 In the Time zone list, click a time zone. The default is UTC.

Step 4 In the Time period list, click a pre-defined time period.

The pre-defined time periods are:

Previous hour

Previous day - yesterday

Previous week - the last full week

Last n hours (12, 24, 48 or 72)

Last week - the previous seven days

Last n weeks (2 or 3)

Last month

Last n months (2, 3, 4, 5, 6, 9 or 12)

Alternatively, click Custom and enter the required start and end dates and times:

a. Enter a start date in the box or click the Calendar icon to choose a date.

b. Choose a start time using the hour and minute lists. The time is shown using the 24-hour clock.

c. Enter an end date in the box or click the Calendar icon to choose a date.

d. Choose an end time using the hour and minute lists.

Step 5 Clear the All Admins check box and click an admin user in the or select an Admin list. Alternatively, select the All Admins check box to include all admin users.

Step 6 Select the Unsuccessful Login check box to include unsuccessful login attempts in the audit. Alternatively, clear the check box to exclude unsuccessful login attempts.

Step 7 Select the Successful Login check box to include successful login attempts in the audit. Alternatively, clear the check box to exclude successful login attempts.

Step 8 Click Generate Audit to download the audit as a CSV (comma-separated value) file.


Activity Audits

Generating an activity audit enables you to see all the administration activity that has taken place in ScanCenter over a period of time, from a day up to a year. Audits provide a record of changes to administration, configuration, filtering, and policy. The audit is downloaded as a CSV file containing the user name, category type, action, log time, and a description for each logged event.

To download an audit:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the Audit menu, click Activity Audit to display the Activity Audit page.

Step 3 In the Time zone list, click a time zone. The default is UTC.

Step 4 In the Time period list, click a pre-defined time period.

The pre-defined time periods are:

Previous hour

Previous day - yesterday

Previous week - the last full week

Last n hours (12, 24, 48 or 72)

Last week - the previous seven days

Last n weeks (2 or 3)

Last month

Last n months (2, 3, 4, 5, 6, 9 or 12)

Alternatively, click Custom and enter the required start and end dates and times:

a. Enter a start date in the box or click the Calendar icon to choose a date.

b. Choose a start time using the hour and minute lists. The time is shown using the 24-hour clock.

c. Enter an end date in the box or click the Calendar icon to choose a date.

d. Choose an end time using the hour and minute lists.

Step 5 Clear the All Admins check box and click an admin user in the or select an Admin list. Alternatively, select the All Admins check box to include all admin users.

Step 6 Clear the All Categories check box and click a category in the or select a Category list. The available categories are:

Administration

Filtering Policy

Https Inspection

Spyware Policy

Web Virus Policy

Alternatively, select the All Categories check box to include all categories.

Step 7 Clear the All Actions check box and click an action in the 'or select an Action list. The available actions are:

INSERT

UPDATE

DELETE

Alternatively, select the All Actions check box to include all actions.

Step 8 Click Generate Audit to download the audit as a CSV (comma-separated value) file.


Secure Traffic Inspection

When a user connects to a website via HTTPS, the session is encrypted with a digital certificate. When secure traffic inspection is enabled, Cisco Cloud Web Security blocks all expired, invalid, and revoked certificates.

Secure traffic inspection decrypts and scans the HTTPS traffic passing through Cisco Cloud Web Security for threats and carries out actions based on your policy settings. If the traffic is deemed safe it is re-encrypted and passed back to your organization with a new SSL certificate.

All users must have an SSL certificate deployed to their browser. You can generate a certificate in ScanCenter with Cisco as the Certificate Authority (CA), or alternatively you can download a Certificate Signing Request (CSR) and use it with a tool such as Microsoft Certificate Services or OpenSSL to generate and upload your own certificate where your organization is the CA. The certificate is then associated with your secure traffic inspection policy.

Two changes are required on the client:

1. Proxy settings for SSL traffic must be configured in the client browser, or on your organization's firewall or gateway device.

2. The Cisco root certificate must be imported into the client browser to enable it to trust SSL connections with Cisco Cloud Web Security.

Legal Disclaimer

It is your responsibility to determine if it is legal for you to inspect HTTPS traffic in your jurisdiction. Switching on this functionality will permit Cisco Cloud Web Security to inspect HTTPS traffic. While all such inspection is carried out automatically rather than by individuals, such decryption may nonetheless be in breach of privacy laws in certain countries. By enabling this functionality you agree that you have the legal right to decrypt this traffic in all relevant jurisdictions and that you have obtained all necessary consents from your users to do so.

In most jurisdictions you are required by law to inform your users that secure traffic is being inspected. It is possible to present an HTML page to the user that states that the session will be decrypted, and gives the user the option to continue or not. However, if you do this you will not be able be able to use the standard warning page for other purposes. To present an HTTPS warning to users:


Step 1 In Web Filtering > Notifications > User Messages, edit the Customized Warn Alert Page to display an HTTPS warning.

Step 2 In the Timeout value list, select 0.

Step 3 Clear the Include standard HTML page template for warning page check box.


Note If you also want to display warnings for non-HTTPS pages, you can select the check box and add the HTTPS warning to the standard Acceptable Usage Policy warning.


Step 4 Click Save to save your changes.

Step 5 In Web Filtering > Management > Global Settings, select the Enable HTTP/HTTPS split check box and click Save.

Step 6 In Web Filtering > Management > Filters, create HTTPS filters for the websites you want to block

Step 7 In Web Filtering > Management > Filters, create an HTTPS filter for all categories called "HTTPS warn."

Step 8 In Web Filtering > Management > Policy, create a block rule and add the HTTPS filters for the websites you want to block.

Step 9 In Web Filtering > Management > Policy, create a warn rule and add the "HTTPS warn" filter with the anytime schedule.

Step 10 Ensure the HTTPS warn rule has a lower priority than the HTTPS block rule and then select the Activate check box for both rules.


To enable you to comply with privacy law, notice is given to the user before the SSL connection is established.

You can exclude websites from secure traffic inspection, for example banking websites. These sites will bypass secure traffic inspection and the user will be connected to the site via a direct SSL connection.


Caution To abide by privacy laws, no log record is maintained. However, you are responsible for ensuring that the content decryption and encryption takes place in a closed loop and that no content is cached.

Secure Sockets Layer Certificates

When you generate an SSL certificate in ScanCenter, Cisco will be the Certificate Authority (CA). If you want your organization to be the CA you can generate a Certificate Signing Request (CSR) in ScanCenter, use that to generate the certificate, and then upload it to ScanCenter.

To view existing certificates:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the HTTPS Inspection menu, click Certificates to display the certificates page.


Creating a Certificate in ScanCenter

To create an SSL certificate:


Step 1 Click the Create a certificate tab.

Step 2 Click create a certificate or.

Step 3 Enter an Identifier.

Step 4 Enter a Description.

Step 5 Click Save to save your changes. Alternatively, navigate away from the page to abandon your changes.


Using an Externally Generated Certificate

If you want to generate your own SSL certificates with your organization as the CA, you will need SSL software such as Microsoft Certificate Services (a component of Windows Server operating systems) or OpenSSL (a toolkit included with most UNIX and UNIX-like operating systems). If you are not familiar with SSL software you should use ScanCenter to create an SSL certificate instead.

To use an externally generated SSL certificate:


Step 1 Click the Create a certificate tab.

Step 2 Click generate a CSR?

Step 3 Enter a unique name for the CSR in the Identifier box.

Step 4 Enter a Description of the CSR.

Step 5 Click Generate to generate a CSR.

Step 6 Click Download your CSR to download the CSR.

Step 7 Generate your SSL certificate using the downloaded CSR with your SSL software. For more details refer to your SSL software vendor documentation. You have 30 minutes to create and upload the certificate.

Step 8 Click Browse and navigate to the SSL certificate you wish to associate with the CSR.

Step 9 Click Upload.


Editing a Certificate Description

To edit an SSL certificate description:


Step 1 Click the Edit icon.

Step 2 Enter a new Description.

Step 3 Click Save. Alternatively, navigate away from the page to abandon your changes.


Removing a Certificate

To delete an SSL certificate, click the Delete icon. You will be prompted to confirm your action.

Filters

Filters enable you to set the websites and categories that will be subject to HTTPS inspection.

To view filters:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the HTTPS Inspection menu, click Filters to display the filters page.


Creating a Filter

To create a new filter:


Step 1 Click the Create a filter tab.

Step 2 Enter a Filter name.

Step 3 Select the Active check box to make the rule active. Alternatively, clear the check box to activate the rule at another time.

Step 4 Click the Categories hyperlink.

Step 5 Select the check boxes of the required categories. You can click Select All to select all the check boxes or Deselect all to deselect all the check boxes. See Web Filtering Categories.

Step 6 Click the Domains/URLs hyperlink.

Step 7 Enter the domains or URLs to be included in the filter. Each domain or URL should appear on its own line. You can use host names and sub-domains but you must omit the protocol (https://). You can click Sort Alphabetically to sort the list.

Step 8 Click the Exceptions hyperlink.

Enter the domains or URLs to bypass the filter. Each domain or URL should appear on its own line. You can use host names and sub-domains but you must omit the protocol (https://). You can click Sort Alphabetically to sort the list.

Step 9 Click Save all settings to save your changes. Alternatively, navigate away from the page to abandon your changes.


Editing a Filter

To edit a filter:


Step 1 Click the Edit icon.

Step 2 Click the hyperlink of the settings you want to change.

Step 3 Make your changes.

Step 4 Click Save to save your changes. Alternatively, navigate away from the page to abandon your changes.


Removing a Filter

To remove a filter, click the Delete icon.

Policy

Policy enables you to set the rules for applying filters.

To view your existing policy:


Step 1 Click the Admin tab to display the administration menus.

Step 2 In the HTTPS Inspection menu, click Policy to display the policy page.


You can set the priority of a rule by clicking the up and down icons in the Move column and then clicking Apply Changes.

Creating a Rule

To create a new rule:


Step 1 Click the Create a rule tab.

Step 2 Enter a rule Name.

Step 3 In the Choose certificate list click an SSL certificate.

Step 4 Click Add group.

Step 5 Enter all or part of a group name in the Search box and click Go.

Step 6 Click Select to select the group.

Step 7 Click Confirm Selection. You can click the Delete icon to remove any groups added by mistake.

Step 8 Select the Set as an exception check box to exclude the group from the rule. Alternatively, clear the check box to apply the rule to the group.

Step 9 In the Add Filter list, click a filter then click Set to set the filter. Only one filter can be set. You can click the Delete icon to remove a filter added by mistake.

Step 10 Click Create rule to save your changes. Alternatively, navigate away from the page to abandon your changes.

Step 11 You will be prompted to confirm that you are in compliance with privacy laws and have obtained consent to inspect HTTPS traffic. If this is correct, click OK. If this is not correct, you must click Cancel.


Editing a Rule

To edit a rule:


Step 1 Click the Edit icon.

Step 2 Make your changes.

Step 3 Click Save to save your changes. Alternatively, navigate away from the page to abandon your changes.

Removing a Rule

To remove a rule, click the Delete icon. You cannot remove the default rule.