Ordering Guide
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 1 of 10
Contents
Introduction .............................................................................................................................................................. 3
Getting Started ......................................................................................................................................................... 3
Verify Connection to a Tower ................................................................................................................................. 3
Create Authentication License Key ........................................................................................................................ 4
Download WSAv ...................................................................................................................................................... 4
Install the WSAv Image ........................................................................................................................................... 4
Run the Service ........................................................................................................................................................ 5
Log On ...................................................................................................................................................................... 5
If DHCP Is Disabled, Set Up the Appliance on the Network ................................................................................. 6
Import the License ................................................................................................................................................... 6
Download the WSAv CWS Connector License ..................................................................................................... 6
Load the License ..................................................................................................................................................... 6
Log On to the Admin Interface ............................................................................................................................... 7
Check Feature Keys................................................................................................................................................. 7
Run the Setup Wizard .............................................................................................................................................. 8
Complete the Wizard ............................................................................................................................................... 8
Reconnect to the UI ................................................................................................................................................. 8
Review Settings ....................................................................................................................................................... 8
Verify the Cloud Routing Policy ............................................................................................................................. 8
Browser Redirection ................................................................................................................................................ 9
Verify Web Redirection to the Cloud ...................................................................................................................... 9
Helpful Links ............................................................................................................................................................ 9
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 2 of 10
Cisco Cloud Web Security: WSAv Deployment
Guide
Introduction
®
The Cisco Web Security Virtual Appliance (WSAv) is a software version of the Cisco Web Security Appliance
(WSA) that is available at no charge with the purchase of Cisco Cloud Web Security (CWS) software bundles and
individual licenses.
This document provides directions to redirect network traffic to CWS through the Cisco WSAv Connector.
Getting Started
You can request one virtual and one physical license per year (without hardware). After you receive the email
message with the license, you will have approximately 1 month to apply those licenses.
Note:
The following instructions focus primarily on the installation of the virtual WSA on a VMware Fusion
platform and connectivity testing after you have configured the Cisco CWS connector module. The connector
configuration itself is covered only briefly; however, a video, Steps to Deploy WSA as a Connector, is available on
our website.
You may also refer to Chapter 4 in the Cisco AsyncOS for Web User Guide.
Note:
We refer to our cloud proxies as “towers”. You will see the terms “proxy” and “tower” used interchangeably
throughout the document.
Verify Connection to a Tower
Site-to-tower communication is accomplished over TCP port 8080. HTTP and HTTPS requests are sent to a cloudscanning tower in this method. Therefore, TCP port 8080 outbound is required to be open for all users within the
organization. For security reasons, Cisco recommends that port 8080 outbound destinations be limited to the
scanning towers provisioned for the customer’s account.
Reference video: Verify connection to a tower
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 3 of 10
Step 1. Log on to a client computer inside your network.
Step 2. If using Windows, click Control Panel and go to Programs and Features.
Step 3. Click Turn on Windows features on or off. Scroll down the list of available features until you find the Telnet
Client. Check the box and click OK. Now that the Telnet Client is installed, you can resume the test.
Step 4. Open the command-line window and type the command telnet [tower IP address] 8080. A
successful connection is noted by a blank screen and blinking cursor.
Create Authentication License Key
Reference video: Authentication license key creation and management
Step 1. Log on to the Cisco Cloud Web Security portal at https://scancenter.scansafe.com/.
Step 2. From the Admin tab, put your mouse over Authentication and select the key that you want to generate.
The options are Company Key and Group Key. To have a single key for all users in the company (can
®
be used in various Connectors), AnyConnect Secure Mobility Client, or a mixture of all, select Company
Key.
Step 3. Note that no Company Key currently exists in this account. Click Create Key to create the Company Key.
If one already exists and you don’t know the entire string (only the last four characters will be seen), then
you need to revoke it before you can create a new one. Also, if the existing Company Key is in use
anywhere (Connectors or the AnyConnect client), you must replace it with the new one.
Step 4. The key is active immediately. The email option that follows is only for the admin to have a backup of the
key. Note: After you navigate away from the page, you’ll no longer see the complete string of the key.
(Going forward, only the last 4 characters will be displayed.).
Step 5. Copy the entire alphanumeric string in the Authentication Key field and record it in a document that will
be backed up.
* Note: The second option is to create a group key by selecting Group Key under Authentication. To create a
group key, you may use an existing directory group, or you may create a custom group under Admin >
Management > Groups.
Step 6. Click Create Key, which corresponds to the group for which you are creating a key.
Download WSAv
Step 1. Download WSAv here.
Step 2. Unzip the image you downloaded.
Please refer to the Cisco Content Security Virtual Appliance Installation Guide for system requirements.
Install the WSAv Image
Step 1. Run VMware Fusion.
Step 2. Navigate to File > Import > Choose File.
Step 3. Select.ovf file.
Step 4. Click Open > Continue.
Step 5. Save as suggested (for example, coeus-8-0-5-075-S100V).
Step 6. Wait while the importing completes, then click Finish.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 4 of 10
Run the Service
VMware may ask you if you want to upgrade to the latest version. Click Don’t Upgrade.
Note:
At this point, you may experience a significant slowdown on your machine for 10-30 minutes, as the
AsyncOS starts the service for the first time.
Log On
When you see the following screen, the WSA is ready for use.
Log on with admin/ironport.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 5 of 10
When the virtual appliance is first powered on, the Management port gets an IP address from your DHCP host. If
the virtual appliance is unable to obtain an IP address from a DHCP server, it will use 192.168.42.42 by default.
If DHCP Is Disabled, Set Up the Appliance on the Network
Note:
If you cloned the virtual security appliance image, perform the following steps for each image.
Step 1. From the vSphere client console, run interfaceconfig.
Step 2. Write down the IP address of the virtual appliance’s Management port.
Note:
The Management port obtains its IP address from your DHCP server. If the appliance cannot reach a
DHCP server, it will use 192.168.42.42 by default.
Step 3. Configure the default gateway using the setgateway command.
Step 4. Commit the changes.
Note:
The hostname does not update until after you have completed the setup wizard.
Import the License
From the console, note the IP address of the appliance (e.g., 144.254.40.79 in this example), or use
interfaceconfig to find it.
Download the WSAv CWS Connector License
Step 1. Download the WSAv CWS Connector License. Contact your Cisco Account Team if you do not already
have a license.
Step 2. Unzip the file and open the.xml file in an editor.
Load the License
Step 1. From SSH or telnet, log on to the virtual appliance with admin/ironport. On a Mac, open the Terminal
(use Putty on Windows) and type ssh -l admin 144.254.40.79.
Step 2. Type Yes to continue connecting, and use ironport for the password.
Step 3. Type loadlicense and choose 1 to paste the license information via the CLI.
Step 4. Copy the entire text from the editor (IPORTBNDLFEAT201402181100180730.xml) and paste it into the
CLI and press CTRL-D when done.
Step 5. Press any key until you are at the end of the license agreement.
Step 6. Type Yes to accept the license agreement.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 6 of 10
Log On to the Admin Interface
Log on to the web UI (http://144.254.40.79:8080) as admin/ironport.
Check Feature Keys
Step 1. Navigate to System Administration > Feature Keys.
Step 2. Ensure that the license you just imported was applied.
Following is a comparison between the virtual license and the full license, which you can request individually.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 7 of 10
Run the Setup Wizard
Step 1. Navigate to System Administration > System Setup Wizard.
Step 2. Change the hostname (e.g., ironport.lab.com).
Step 3. Set the Time Zone.
Step 4. Continue with the Cloud Web Security Connector mode.
Complete the Wizard
Step 1. Continue through the Wizard. (Provide CWS primary and secondary proxies and the license key.)
Step 2. Click Next to continue until you reach Administrative Settings.
Step 3. Change the password.
Step 4. Provide your email address for system alerts.
Step 5. Review your configuration.
Step 6. Click Install This Configuration.
Reconnect to the UI
The system will attempt to reconnect via the host name and most likely will fail.
Provide the URL http://144.254.40.79:8080 or https://144.254.40.79:8443 to connect back to the UI.
Review Settings
You can review the Connector settings under Network > Cloud Connector.
Verify the Cloud Routing Policy
Verify the Cloud Routing Policy (under Web Security Manager) to ensure that the Cloud Web Security Proxy is
set as the Routing Destination. You should verify it automatically. If you change it to Direct Connection, you will
bypass the CWS service.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 8 of 10
Browser Redirection
Point your browser to the WSA on port 3128.
Verify Web Redirection to the Cloud
Verify that you are browsing via the WSAv Connector to CWS by browsing to http://whoami.scansafe.net.
You should see something like this:
authUserName: 144.254.40.81
authenticated: true
companyName: Internal_DE_SDM_John Doe
connectorVersion: coeus-8-0-5-075
countryCode: GB
externalIp: 144.254.40.79
groupNames:
- WSA Connector 8.0.5 S100V
internalIp: 144.254.40.81
logicalTowerNumber: 101
staticGroupNames:
- WSA Connector 8.0.5 S100V
userName: 144.254.40.81
Helpful Links
For additional information and support, log on to the WSAv landing page.
For warranty information, log on to our Product Warranties page.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 9 of 10
Printed in USA
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
C07-733963-00
03/15
Page 10 of 10