Cisco Web Security (CWS)

Cisco Web Security (formerly ScanSafe) is a cloud based Web Filtering solution. It works pretty well and integrates with Anyconnect so travelling users will also get the policy. Here’s a basic config (on ASA).

One of the things we have to do is configure an ACL on our ASA to permit Cisco’s servers access to our Active Directory. The servers perform an LDAP lookup for the username and group membership. You can get the list of servers from your ScanSafe portal.

Best practice dictates that you create a source (ie one of your internal hosts) whitelist and a destination (ie a public host) whitelist.

We specifically whitelist internal sites so they will never be blocked.

Finally we create the access list. Note that we only specify TCP 80 and TCP 443 since that is the only currently support protocols.

Next we start the CWS configuration. The server and port that you need to entered should be provided by you from Cisco via email when you sign up for the service. The license key will also be included in that email and it is also available in the portal. You will need to configure DNS (internal) on the ASA as well.

Our next step is to configure AAA on the ASA and have it point to our Active Directory. This example covers connecting to one server. For redundancy configure a minimum of two.

Next we create an LDAP MAP. This allows us to have different AD groups map to different policies. For example if you’re a member of the ‘Users – Web Security’ group you will be mapped to the RegularUsers policy.

Our next step is to configure the firewall for Identity. We use CDA for this. We configure the ‘user-group’ to permit/deny users to specific sites. For example anyone that is a member of “CWS – Facebook” can access Facebook. If a user is not a member of the group, they will continue down the list and down the CWS policy to determine an action.

Alright we’re almost there. We need to create a class map that contains the ACL’s we built earlier.

Now we configure the policy maps so we can apply them to the service policy next.

And the policy map. We can fail-open (permit all web traffic) or fail-close (deny all web traffic).

The last step is to apply the service policy to the inside interface.

We can test everything is working properly by opening a web browser and entering the URL of You should receive a page that lists your username, what groups you belong to, etc.

authUserName: CISCO\user
authenticated: true
companyName: Cisco
connectorGuid: ABC012345AB
connectorVersion: AP_ASA-x.x(x)
countryCode: US
groupNames: []
logicalTowerNumber: 1782
– CISCO\Group
userName: CISCO\user