Creating the pxGrid certificate template (AD)
Import trusted root certificate (ISE)
Import trusted root certificate (WSA)
pxGrid certificate creation (ISE)
ERS certificate creation (ISE)
pxGrid certificate creation (WSA)
Configure ERS on WSA and test connectivity
pxGrid certificate creation (WSA)
Testing connectivity to pxGrid and ERS
This document is for Cisco engineers and customers who will deploy the Cisco® Identity Services Engine (ISE) and Cisco Web Security Appliance (WSA) in their environments and wish to integrate the two solutions. ISE provides authentication, authorization, and accounting services for domain, local, and guest users and serves as an important source of information regarding the active users and devices in an environment. Enhancements to the WSA allow administrators to further leverage this information to enrich their policy configuration and enforcement.
This document covers:
● ISE domain configuration
● Deployment using certificates signed by a certificate authority
● Deployment using self-signed certificates
● WSA policy configuration using security group tags and ISE group information
Before beginning with this guide, a few basic configuration steps must be completed on the WSA as well as on the ISE. Basic network settings must be in place on both appliances (IP address, gateway, Domain Name System [DNS] and Network Time Protocol [NTP] servers), as well as any required licenses installed. The System Setup Wizard should be completed on the WSA, and all available patches should be installed on ISE. The HTTPS proxy should also be enabled and configured on the WSA in order to complete the steps that involve decryption policies.
The versions used in this guide are as follows:
WSA: | 11.7.0 |
ISE: | 2.4.0.357 Patch 4 |
Windows Server: | 2016 Standard |
The ISE Platform Exchange Grid (pxGrid) service is disabled by default. To enable this service, navigate to Administration > Deployment. Select the desired ISE node and click Edit. Check the box next to pxGrid and click Save.
The status of the pxGrid service can be checked using the show app status ise Command-Line Interface (CLI) command:
ise/admin# show app status ise
ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 14838
Database Server running 67 PROCESSES
Application Server running 20663
Profiler Database running 16320
ISE Indexing Engine running 23291
AD Connector running 24386
M&T Session Database running 16130
M&T Log Collector running 20943
M&T Log Processor running 20840
Certificate Authority Service running 24136
EST Service running 4772
SXP Engine Service disabled
Docker Daemon running 17044
TC-NAC Service disabled
Wifi Setup Helper Container disabled
pxGrid Infrastructure Service running 6297
pxGrid Publisher Subscriber Service running 6496
pxGrid Connection Manager running 6453
pxGrid Controller running 6532
PassiveID WMI Service disabled
PassiveID Syslog Service disabled
PassiveID API Service disabled
PassiveID Agent Service disabled
PassiveID Endpoint Service disabled
PassiveID SPAN Service disabled
DHCP Server (dhcpd) disabled
DNS Server (named) disabled
ISE RabbitMQ Container running 17497
The External RESTful API Service (ERS) is an API that can be queried by the WSA for group information. The ERS service is disabled by default on ISE. Once it is enabled, clients may query the API if they authenticate as members of the ERS Admin group on the ISE node. To enable the service on ISE and add an account to the correct group, follow these steps:
1. Navigate to Administration > System > Settings.
2. On the left pane, click ERS Settings.
3. Select the option Enable ERS for Read/Write.
4. Click Save and confirm with OK.
5. Navigate to Administration > System > Admin Access.
6. In the left pane, expand Administrators and click Admin Users.
7. Click Add and select Admin User from the drop-down.
8. Enter a username and password in the appropriate fields.
9. In the Admin Groups field, use the drop-down to select ERS Admin.
10. Click Submit.
ISE will need to be domain joined in order to authenticate users and provide group information to the WSA. Follow these steps to join the domain and add groups:
1. Navigate to Administrator > Identity Management > External Identity Groups.
2. In the left pane, click on Active Directory, and in the center pane, click Add.
3. Provide a name for the join point and the domain to be joined.
4. Confirm and provide credentials with permission to join the domain.
5. Verify that the domain is shown as Operational.
6. Navigate to the Groups tab and click Add > Select Groups From Directory.
7. Provide a filter for the desired group and click Retrieve Groups.
8. Check the box next to the desired group and click OK.
9. Click Save.
Certificates are central to all communication between the WSA and ISE. The pxGrid service is mutually authenticated using both a client and server certificate, and the ERS service is authenticated using a server certificate. In most cases, an administrator will have certificate authority in their local domain that is integrated with Active Directory (AD). This section will provide steps for configuring the required certificate template for pxGrid in Windows Server 2016, as well as generating and signing the certificate signing requests.
Note: If the intention is to use the built-in certificate authority provided by the ISE node, the administrator should proceed to the next section. |
Creating the pxGrid certificate template (AD)
A template must be specified when issuing a certificate from a certificate authority. The template to be used in signing the pxGrid certificates must include both Client Authentication and Server Authentication key usage parameters. The simplest way to create a template with the required parameters is to copy the built-in User template and alter the properties to fit the requirements of pxGrid. To do this using Active Directory certificate authority, follow these steps:
1. Using the Certificate Authority snap-in, click on Certificate Templates.
2. In the center pane, right-click and select Manage.
3. In the center pane, right-click on the User template and click Duplicate Template.
4. In the General tab, change the name to pxGrid or any other unique name.
5. On the Request Handling tab, uncheck Allow public key to be exported.
6. On the Extensions tab, click on Application Policies and click on Edit.
7. Click Add and add Server Authentication to the list of policies.
8. Remove any other application policies except for Server Authentication and Client Authentication.
9. On the Subject Name tab, select Supply in the request.
10. Save and close the template.
11. In the Certificate Templates snap-in, right-click and select New > Certificate Template to Issue.
12. Click the new pxGrid template and click OK.
To sign the Certificate Signing Request (CSR) with the new template, save the CSR in a directory that is accessible by the signing server and use the certreq.exe utility to sign it and save the resulting certificate. In the following example, the CSR is located at Z:\Certs\isepxGrid.csr:
certreq.exe -submit -attrib certificatetemplate:pxgrid Z:\Certs\isepxGrid.csr
Import trusted root certificate (ISE)
The root certificate and any intermediate certificates must also be trusted by ISE in order to complete the trust chain. Follow these steps to install the root Certificate Authority (CA) certificate in the ISE Trusted Root Authorities Store:
1. Navigate to Administration > System > Certificates.
2. In the left pane, click Trusted Certificates.
3. In the center pane, click Import.
4. Click Browse to locate the CA certificate file in PEM format.
5. Optionally enter a Friendly Name to identify the certificate.
6. Ensure that both Trust for authentication with ISE and Trust for client authentication and Syslog are checked.
7. Click Submit.
Import trusted root certificate (WSA)
If the integration design uses an internal certificate authority as the root of trust for the connection between the WSA and ISE, than this root certificate must be installed on both appliances. Follow these steps to install the root CA certificate in the WSA Trusted Root Authorities Store:
1. Navigate to Network > Certificate Management > Manage Trusted Root Certificates.
2. Click on Import.
3. Use Browse to locate the certificate (in PEM format) and click Submit.
Note: If any intermediate certificates are present between the root CA and the certificates issued to clients, they must also be uploaded here. |
4. Submit and Commit changes.
pxGrid certificate creation (ISE)
The pxGrid service utilizes client-side certificates for mutual authentication. Next, the client-side certificates will need to be generated and signed by the root CA. To generate the key pair and certificate signing request on ISE, follow these steps:
1. Navigate to Administration > System > Certificates.
2. In the left pane, click on Certificate Signing Requests.
3. In the center pane, click on Generate Certificate Signing Requests (CSR).
4. In the Usage section, use the drop-down menu to select pxGrid.
5. In the Node(s) section, select the desired ISE node for pxGrid services.
6. Complete the certificate fields as required and select the desired key length.
7. Click Generate and Export.
To sign the CSR with the pxGrid template, save the CSR in a directory that is accessible by the signing server and use the certreq.exe utility to sign it and save the resulting certificate. In the following example, the CSR is located at Z:\Certs\isepxGrid.csr:
certreq.exe -submit -attrib certificatetemplate:pxgrid Z:\Certs\isepxGrid.csr
Follow the resulting prompts to save the certificate. To bind the certificate to the CSR in ISE, follow these steps:
1. Navigate to Administration > System > Certificates.
2. In the left pane, click on Certificate Signing Requests.
3. Select the CSR that was generated previously and click Bind Certificate.
4. Use Choose Certificate to locate the certificate file.
5. Optionally provide a Friendly Name.
6. Ensure that the Usage section specifies pxGrid.
7. Click Submit.
At this point, ISE should be using the CA-signed certificate for pxGrid communication. This can be confirmed by navigating to Administration > System > Certificates and clicking on System Certificates in the left pane.
ERS certificate creation (ISE)
The ERS service is accessed over a Transport Layer Security (TLS) tunnel and is authenticated with a server-side certificate. The ISE node will use the same Admin certificate that is used for its web management interface for ERS. This certificate must also be trusted by the WSA. The process for generating this certificate is the same as that documented in the previous section, with two important differences. The first difference is that Admin should be selected in the Usage section.
The second difference is that the CSR should be signed using the built-in WebServer certificate template in Windows Server:
certreq.exe -submit -attrib certificatetemplate:webserver Z:\Certs\iseAdmin.csr
pxGrid certificate creation (WSA)
In the WSA, the creation of the key pair and certificate for use by pxGrid is completed as part of the ISE services configuration. To complete the configuration, follow these steps:
1. Navigate to Network > Identity Services Engine.
2. Click Enable and Edit Settings.
3. Enter the ISE server name in the Primary ISE pxGrid Node field.
4. Click Choose File in the ISE pxGrid Node Certificate section.
5. Locate the root CA certificate in PEM format and click Upload.
Note: A common misconfiguration is to upload the ISE pxGrid certificate in this section. The root CA certificate must be uploaded to the ISE pxGrid Node Certificate field. |
Note: In WSA 11.7, all references to the monitoring node have been removed from the ISE settings page. Any previous references have also been removed from the CLI. |
6. You may optionally configure a secondary pxGrid node on this page.
7. In the WSA Client Certificate section, select Use Generated Certificate and Key.
8. Click Generate New Certificate and Key and complete the required certificate fields.
9. Click Download Certificate Signing Request.
Note: At this point, it is a good idea to use the Submit button to commit the changes to the ISE configuration. If the session is left to timeout before the changes are submitted, the keys and certificate that were generated will be lost, even if the CSR was downloaded. Note that a Commit is not required, only a Submit. |
To sign the CSR with the new template, save the CSR in a directory that is accessible by the signing server and use the certreq.exe utility to sign it and save the resulting certificate. In the following example, the CSR is located at Z:\Certs\wsapxGrid.csr:
certreq.exe -submit -attrib certificatetemplate:pxgrid Z:\Certs\wsapxGrid.csr
Follow the resulting prompts to save the certificate. To bind the certificate to the CSR in the WSA, follow these steps:
1. Navigate to Network > Identity Services Engine.
2. Click Edit Settings.
3. In the WSA Client Certificate section, use the Choose File option to locate the file in PEM format.
4. Click Upload File.
5. Submit and Commit.
At this point, the WSA should be attempting to communicate with ISE over pxGrid. With default settings, pxGrid clients must be manually approved. To manually approve the WSA as a pxGrid client, follow these steps:
1. Navigate to Administrator > pxGrid Services.
2. Check the box next to the WSA and choose click Approve.
3. Confirm by clicking OK.
Additionally, it is possible to allow all certificate-authenticated clients to be auto-approved by following these steps:
1. Navigate to Administrator > pxGrid Services > Settings.
2. Check the box for Automatically approve new certificate-based accounts.
3. Click Save.
4. Confirm by clicking Yes.
Note: The auto-approve setting cannot be set if there are pending clients. Approve any pending requests before changing the setting. |
Note: In WSA 11.7, there is no communication to the ISE management node. All communication occurs over pxGrid and ERS. |
Configure ERS on WSA and test connectivity
1. Navigate to Network > Identity Services Engine.
2. Click Edit Settings.
3. Check the box next to Enable External Restful Service (ERS).
4. In the ERS Administrator Credentials field, enter the user information that was configured on ISE.
5. If the node is the same as the pxGrid node, check the box for Server name same as ISE pxGrid Node. Otherwise, enter the required information there.
6. Submit and Commit.
The administrator can now test the connection from the WSA to ISE over both pxGrid and ERS. This test can be run by navigating to Network > Identity Services Engine > Edit Settings and clicking on Start Test at the bottom of the page. Successful output will resemble the following:
Checking DNS resolution of ISE pxGrid Node hostname(s)...
Success: Resolved 'ise.chclasen.lab' address: 192.168.0.200
Validating WSA client certificate...
Success: Certificate validation successful
Validating ISE pxGrid Node certificate(s)...
Success: Certificate validation successful
Checking connection to ISE pxGrid Node(s)...
Trying primary PxGrid server...
Preparing TLS connection...
Completed TLS handshake with PxGrid successfully.
Trying download user-sessions...
Failure: Failed to download user-sessions.
Trying download SGT...
Able to Download 17 SGTs.
Trying connecting to primary ERS service...
Trying download user-groups...
Able to Download 9 user-groups.
Success: Connection to ISE pxGrid Node was successful
Test completed successfully.
The status of the pxGrid and ERS connection as well as a list of Security Group Tags (SGTs) and groups that have been pulled from ISE can be checked using the isedata CLI subcommands:
● STATISTICS - Show the ISE server status and ISE statistics.
● CACHE - Show the ISE cache or check an IP address.
● SGTS - Show the ISE Secure Group Tag (SGT) table.
● GROUPS - Show the ISE Groups table.
If the administrator does not wish to use an in-house certificate authority, it is possible to complete the configuration using the built-in self-signed certificate provided by ISE. This is done by leveraging the built-in certificate authority on the ISE node. This section is not necessary if the previous section was used to install CA-signed certificates.
pxGrid certificate creation (WSA)
The pxGrid service utilizes client-side certificates for mutual authentication. ISE provides a means to generate a PKCS12 file that contains the ISE certificate chain, as well as the key pair and certificate to be used by the WSA pxGrid client. To generate this file and extract the key and certificates, follow these steps:
1. On ISE, navigate to Administrator > pxGrid > Certificates.
2. In the I want to field, use the drop-down to choose Generate a single certificate (without a certificate signing request).
3. Complete the certificate fields as required.
4. In the Certificate Download Format section, use the drop-down to choose PKCS12 Format.
5. Enter a password.
6. Unzip the archive file that is downloaded.
7. Use openSSL to extract the certificates and private key from the PKCS file (in the example, the file is wsa2.p12).
Extract the ISE CA certificate chain:
openssl pkcs12 -in wsa2.p12 -cacerts -nokeys -out ise-ca.cer
Extract the WSA pxGrid certificate:
openssl pkcs12 -in wsa2.p12 -clcerts -nokeys -out wsa2.cer
Extract the WSA pxGrid private key:
openssl pkcs12 -in wsa2.p12 -nocerts -nodes -out wsa2.key
8. On the WSA, navigate to Network > Certificate Management > Manage Trusted Root Certificates.
9. Click on Import.
10. Use Browse to locate the ISE CA certificate chain and click Submit.
11. Navigate to Network > Identity Services Engine.
12. Click Edit Settings.
13. In the WSA Client Certificate section, use the Choose File options to locate the exported key and certificate.
14. Click Upload Files.
15. Submit and Commit.
Note: In WSA 11.7, all references to the monitoring node have been removed from the ISE settings page. Any previous references have also been removed from the CLI. |
Testing connectivity to pxGrid and ERS
At this point, the WSA should be attempting to communicate with ISE over pxGrid. With default settings, pxGrid clients must be manually approved. To manually approve the WSA as a pxGrid client, follow these steps:
1. Navigate to Administrator > pxGrid Services.
2. Check the box next to the WSA and click Approve.
3. Confirm by clicking OK.
Additionally, it is possible to allow all certificate-authenticated clients to be auto-approved by following these steps:
1. Navigate to Administrator > pxGrid Services > Settings.
2. Check the box for Automatically approve new certificate-based accounts.
3. Click Save.
4. Confirm by clicking Yes.
Note: The auto-approve setting cannot be set if there are pending clients. Approve any pending requests before changing the setting. |
Note: In WSA 11.7, there is no communication to the ISE management node. All communication occurs over pxGrid and ERS. |
The WSA can use SGT information learned via the pxGrid connection to ISE as well as group information learned using the ERS service in both decryption policies and access policies. Both criteria can be configured in a single policy, but it is important to note that version of the WSA that was used in the creation of this guide (11.7.0) will match on either SGT OR AD group. This is an important distinction because it represents a slight deviation in policy matching as compared with previous versions. This is only applicable if both an SGT and an AD group are configured in a policy.
The policy matching behavior is explained below, depending on what elements are configured (AD group, user, or SGT):
AD groups and users: No change to previous behavior; the policy will be matched if the user is a member of group, OR the user is specified in the policy.
SGT and AD groups and users: The policy will be matched if the user is associated with the SGT AND is a member of the AD group, OR the user is specified in the policy.
SGT and users: The policy will be matched if the user is associated with the SGT OR the user is specified in the policy.
In order to use security group tags or ISE group information in the WSA policies, an identification profile must first be created that utilizes ISE as a means to transparently identify users. To create such a policy, follow the steps below:
1. Navigate to Web Security Manager > Identification Profiles.
2. Click Add Identification Profile.
3. Name the profile appropriately.
4. In the Identification and Authentication section, use the drop-down to choose Transparently identify users with ISE.
5. Submit and Commit.
Once the identification profile has been created, the decryption policies can be configured to use this profile and to use SGT or group information. To configure a decryption policy to use those attributes, follow the steps below:
1. Navigate to Web Security Manager > Decryption Policies.
2. Click Add Policy.
3. Name the profile appropriately.
4. In the Identification Profiles and Users section, use the drop-down to choose Select One or More Identification Profiles.
5. In the Identification Profiles section, use the drop-down to choose the name of the ISE identification profile.
6. In the Authorized Users and Groups section, select the radio button next to Selected Groups and Users.
7. Click the hyperlink next to ISE Secure Group Tags.
Note: In instances where AD authentication is used in addition to transparent ISE authentication, there will be two distinct types of groups that may be configured in a policy element. One will be named “Groups” and represents AD groups that are obtained through the authentication realms configured on the WSA. The other will be named “ISE Groups” and represents groups obtained from ISE. |
8. In the Secure Group Tag Search section, check the box to the right of the desired SGT and click Add.
9. Click Done to return.
10. Click the hyperlink next to ISE Groups.
11. Highlight the desired group in the search pane and click Add.
12. Click Done to return.
13. Both the selected SGT and group will now be present in the policy.
14. Submit and Commit.
SGT and group information can also be employed in access policies. To configure an access policy to use those attributes, follow the steps below:
1. Navigate to Web Security Manager > Access Policies.
2. Click Add Policy.
3. Name the profile appropriately.
4. In the Identification Profiles and Users section, use the drop-down to choose Select One or More Identification Profiles.
5. lick the hyperlink next to ISE Secure Group Tags.
Note: In instances where AD authentication is used in addition to transparent ISE authentication, there will be two distinct types of groups that may be configured in a policy element. One will be named Groups and represents AD groups that are obtained through the authentication realms configured on the WSA. The other will be named ISE Groups and represents groups obtained from ISE. |
6. In the Secure Group Tag Search section, check the box to the right of the desired SGT and click Add.
7. Click Done to return.
8. Click the hyperlink next to ISE Groups.
9. Highlight the desired group in the search pane and click Add.
10. Click Done to return.
11. Both the selected SGT and group will now be present in the policy.
12. Submit and Commit.
In order to confirm that the configured policies have taken effect, the administrator may examine the access logs to ensure that traffic is being matched accordingly. Additional custom fields can be added to this log to indicate group membership and authentication method. In WSA 11.7, there is a new custom field (%X#11#) that denotes the SGT associated with the user. The following table describes the three custom fields that are most relevant to ISE authentication:
Format specifier in access logs | Description |
%g | The groups associated with a transaction. Example: “domain.lan/Domain Users” |
%m | The authentication mechanism used on the transaction. Example: SSO_TUI |
%X#11# | The number representing the Security Group Tag associated with an authenticated user. Example: 4 |
The full list of available custom fields is available in the WSA GUI at System Administration > Log Subscriptions > accesslogs > Custom Fields Reference.
Example access log entry with both %g, %m, and %X#11# custom fields (highlighted):
1543519369.674 205 192.168.0.50 TCP_MISS/200 5258 GET http://www.blue.com/ "cisco" DIRECT/www.blue.com text/html DEFAULT_CASE_12-DefaultGroup-ISE_Auth-NONE-NONE-NONE-DefaultGroup-NONE <IW_pers,-3.0,1,"-",0,0,0,1,"-",-,-,-,"-",0,0,"-","-",-,-,IW_pers,-,"Unknown","Personal Sites","-","Unknown","Unknown","-","-",205.19,0,-,"Unknown","-",-,"-",-,-,"-","-",-,-,"-",-> - "chclasen.lab/Builtin/Users,chclasen.lab/Users/Domain Users" SSO_ISE 4
Information about the ISE engine in the WSA is found in the ise_service_log. When troubleshooting, it can be useful to change the logging level for this log to debug.
The isedata CLI command provides various subcommands for verifying the status of the ISE connection as well the state of the authentication cache. Below are examples of the output of these commands:
>isedata
Choose the operation you want to perform:
- STATISTICS - Show the ISE server status and ISE statistics.
- CACHE - Show the ISE cache or check an IP address.
- SGTS - Show the ISE Secure Group Tag (SGT) table.
- GROUPS - Show the ISE Groups table.
[]> statistics
PxGrid Connection Status: CONNECTED
PxGrid Hostname: ise.chclasen.lab
PxGrid Time of Connection: 2018-11-30T13:42:27.377060
ERS Connection Status: CONNECTED
ERS Hostname: ise.chclasen.lab:9060
ERS Time of Connection: 2018-11-29T16:23:50.302516
Session Bulk Download: 1
Group Bulk Download: 1
SGT Bulk Download: 18
Session Update: 0
Group Update: 0
Memory Allocation: 105
Memory Deallocation: 34
Choose the operation you want to perform:
- STATISTICS - Show the ISE server status and ISE statistics.
- CACHE - Show the ISE cache or check an IP address.
- SGTS - Show the ISE Secure Group Tag (SGT) table.
- GROUPS - Show the ISE Groups table.
[]> cache
Choose the operation you want to perform:
- SHOW - Show the ISE ID cache.
- CHECKIP - Query the local ISE cache for an IP address
[]> show
IP Name SGT#
192.168.10.50 cisco 4
Choose the operation you want to perform:
- SHOW - Show the ISE ID cache.
- CHECKIP - Query the local ISE cache for an IP address
[]>
Choose the operation you want to perform:
- STATISTICS - Show the ISE server status and ISE statistics.
- CACHE - Show the ISE cache or check an IP address.
- SGTS - Show the ISE Secure Group Tag (SGT) table.
- GROUPS - Show the ISE Groups table.
[]> sgts
SGT# SGT Name SGT Description
65535 ANY Any Security Group
13 Test_Servers Test Servers Security Group
3 Network_Services Network Services Security Group
7 Production_Users Production User Security Group
10 Point_of_Sale_Systems Point of Sale Security Group
11 Production_Servers Production Servers Security Group
8 Developers Developer Security Group
12 Development_Servers Development Servers Security Group
4 Employees Employee Security Group
15 BYOD BYOD Security Group
5 Contractors Contractor Security Group
255 Quarantined_Systems Quarantine Security Group
9 Auditors Auditor Security Group
2 TrustSec_Devices TrustSec Devices Security Group
0 Unknown Unknown Security Group
14 PCI_Servers PCI Servers Security Group
6 Guests Guest Security Group
16 Windows10
Choose the operation you want to perform:
- STATISTICS - Show the ISE server status and ISE statistics.
- CACHE - Show the ISE cache or check an IP address.
- SGTS - Show the ISE Secure Group Tag (SGT) table.
- GROUPS - Show the ISE Groups table.
[]>groups
GROUPS#
chclasen.lab/Users/Domain Users
chclasen.lab/Users/Contractors
GuestType_Weekly (default)
OWN_ACCOUNTS (default)
GROUP_ACCOUNTS (default)
GuestType_SocialLogin (default)
Employee
GuestType_Daily (default)
GuestType_Contractor (default)
ALL_ACCOUNTS (default)
The Cisco Identity Service Engine serves as a valuable tool for user authentication, authorization, and accounting. Integrating ISE with the Cisco Web Security Appliance enables an administrator to leverage the wealth of user identity information available over pxGrid and the ERS API to enrich their policy enforcement and reporting. This guide has covered the basic configuration of both ISE and the WSA to allow for this exchange of information using both CA-signed and self-signed certificates. It has also explained the basic WSA policy configuration and verification steps required to leverage the integrated solution. The administrator should have all of the tools required to confidently deploy the solution and configure the required policy elements to meet their needs.