browse
Introduction
This document is for CWS customers intending to migrate to or use Umbrella services. Certain Umbrella services use HTTP/HTTPS connections; for example: Block Page, Block Page Bypass, and the Intelligence Proxy. All of these use HTTP/HTTPS requests and cannot be proxied.
Background
CWS customer may use one of the following connectors and forward requests to the CWS tower:
1. WSA Connector
2. ISR platforms
3. ASA platforms
4. CWS Native Connector
5. AnyConnect
Solution:
CWS customers will need to bypass the list of IPs below on the connector level.
1. WSA Connector:
- WSA deploy in Transparent mode with WCCP redirection or deploy in Explicit Mode with PAC file
Here is the configuration example:
- WSA deploy in Transparent Mode, exempt the list of IPs on ACL
Configuration sample: modify ACL redirect list and bypass list of IPs for Umbrella:
67.215.64.0/19
204.194.232.0/21
208.67.216.0/21
208.69.32.0/21
185.60.84.0/22
146.112.0.0/16
155.190.0.0/16
151.186.0.0/16
Access-list example on IOS:
access-list wccp-traffic extended deny ip any 67.215.64.0 255.255.224.0
access-list wccp-traffic extended deny ip any 204.194.232.0 255.255.248.0
access-list wccp-traffic extended deny ip any 208.67.216.0 255.255.248.0
access-list wccp-traffic extended deny ip any 208.69.32.0 255.255.248.0
access-list wccp-traffic extended deny ip any 185.60.84.0 255.255.252.0
access-list wccp-traffic extended deny ip any 146.112.0.0 255.255.0.0
access-list wccp-traffic extended deny ip any 155.190.0.0 255.255.0.0
access-list wccp-traffic extended allow ip any any eq www
access-list wccp-traffic extended allow ip any any eq https
- WSA deploy in Explicit Proxy Configuration (applicable to client has proxy auto-configure on the browser level);
- In Explicit Forward mode, a proxy will make DNS queries on behalf of the client and re-write the source IP. Our resolver will be unable to identify the actual client IP. Therefore, clients must be forced to make a DNS query.
- HTTP connections destined for Umbrella IP addresses must not go to the proxy, but rather go directly to Umbrella.
- PAC file configuration example:
function FindProxyForURL(url, host) {
// Generate DNS requests on the client
hostIP = dnsResolve(host);
// If the requetsed IP address belongs to OpenDNS, return DIRECT
if (isInNet(hostIP, "67.215.64.0", "255.255.224.0") ||
isInNet(hostIP, "204.194.232.0", "255.255.248.0") ||
isInNet(hostIP, "208.67.216.0", "255.255.248.0") ||
isInNet(hostIP, "208.69.32.0", "255.255.248.0") ||
isInNet(hostIP, "185.60.84.0", "255.255.252.0") ||
isInNet(hostIP, "146.112.0.0", "255.255.0.0") ||
isInNet(hostIP, "155.190.0.0", "255.255.0.0"))
{
return "DIRECT";
}
// DEFAULT RULE: All other traffic, uses these proxies, in order
return "PROXY <Primary_Proxy_IP>:8080; PROXY <Backup_Proxy_IP>:8080";
}
2. ISR4k and ISRG2 Connector Cloud Whitelist or Local Whitelist:
- Local Whitelist with configure ACL and associate with “parameter-map type cws-tunnel global” sub command.
- Cloud Whitelist if “Whitelist Download from Tower for CWS” is enabled
Here is a configuration example:
Local Whitelisting, the following commands are configured to bypass the list of Umbrella IPs from CWS.
ISR4K configuration example:
ISR4k#enableISR4k# configure terminal
ISR4k(config)# parameter-map type cws-tunnel global
ISR4k(config-profile)# whitelist
ISR4k(config-cws-tun-wl)# acl name cws_whitelist
ISR4k(config-ext-nacl)# permit ip any 67.215.64.0 255.255.224.0
ISR4k(config-ext-nacl)# permit ip any 204.194.232.0 255.255.248.0
ISR4k(config-ext-nacl)# permit ip any 208.67.216.0 255.255.248.0
ISR4k(config-ext-nacl)# permit ip any 208.69.32.0 255.255.248.0
ISR4k(config-ext-nacl)# permit ip any 185.60.84.0 255.255.252.0
ISR4k(config-ext-nacl)# permit ip any 146.112.0.0 255.255.0.0
ISR4k(config-ext-nacl)# permit ip any 155.190.0.0 255.255.0.0
ISR4k(config-ext-nacl)# end
Ref: Cisco 4000 Series ISR Cloud Web Security Connector
ISRG2 configuration example:
ISRG2# access-list Whitelist ext permit ip any 67.215.64.0 255.255.224.0
ISRG2# access-list Whitelist ext permit ip any 204.194.232.0 255.255.248.0
ISRG2# access-list Whitelist ext permit ip any 208.67.216.0 255.255.248.0
ISRG2# access-list Whitelist ext permit ip any 208.69.32.0 255.255.248.0
ISRG2# access-list Whitelist ext permit ip any 185.60.84.0 255.255.252.0
ISRG2# access-list Whitelist ext permit ip any 146.112.0.0 255.255.0.0
ISRG2# access-list Whitelist ext permit ip any 155.190.0.0 255.255.0.0
ISRG2# end
ISRG2# enableISRG2# configure terminal
ISRG2(config)# content-scan whitelist
ISRG2(config-cont-scan-wl)# whitelist acl name Whitelist
ISRG2(config-cont-scan-wl)# end
Ref: Cisco Integrated Services Routers Generation 2 with Cisco Cloud Web Security Solution
Cloud Whitelist, the following command to enable CWS Scancenter to push the Whitelist to ISR4k/ISRG2:
ISRG2# enable
ISRG2# configure terminal
ISRG2(config)# parameter-map type cws global
ISRG2(config-profile)# whitelist download enable interval 20
ISRG2(config-profile)# end
Ref: Whitelist Download from Tower for Proxy Cloud Web Security
ISR4k# enableISR4k# configure terminal
ISR4k (config)# parameter-map type cws-tunnel global
ISR4k (config-profile)# whitelist
ISR4k (config-profile)# download interval 5
ISR4k (config-profile)# end
Ref: Cisco 4000 Series ISR Cloud Web Security Connector
Scancenter Portal > Web Filtering > Management > Cloud Bypass > Add Entries to Bypass List:
3. For ASA Connector, modify the ACL and whitelisting the specify hosts or networks that should be allowed to bypass CWS.
ASA connector configuration sample:
ASA#object-group network ODNS-WHITELIST
subnet object 67.215.64.0 255.255.224.0
subnet 204.194.232.0 255.255.248.0
subnet 208.67.216.0 255.255.248.0
subnet 208.69.32.0 255.255.248.0
subnet 185.60.84.0 255.255.252.0
subnet 146.112.0.0 255.255.0.0
subnet 155.190.0.0 255.255.0.0
access-list SCANSAFE_HTTP line 1 ext deny tcp any object ODNS-WHITELIST eq 80
access-list SCANSAFE_HTTP ext permit tcp any any eq 80
access-list SCANSAFE_HTTPS line 1 ext deny tcp any object ODNS-WHITELIST eq 443
access-list SCANSAFE_HTTPS ext permit tcp any any eq 443
NOTE: If you are blocking outbound HTTP/S requests at your firewall from sources other than your proxy, you will need to ensure that you allow these requests to the above IP ranges in order to allow your machines to access the Umbrella block pages.
Ref:
Configuration Cisco Cloud Web Security
Video:How to configure ACL White Listing on ASA Connector
4. Native Connector – Add the section below under agent.properties
Modify the exception list within agent.properties file:
Here is the configuration sample:
Windows: %programfiles%\Connector\agent.properties
MAC: /opt/conector/agent.properties
* Also add 155.190.0.0/16 at the end of the groupofIPs-exception_pattern list
Once you add an exception in the agent.properties file, ensure that the changes to the file are saved before restarting the Connector service.
5. AnyConnect connector for CWS:
- From ASDM, open ASDM and choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile, and click Add to create a client profile.
- In Standalone mode on Windows, select Start > Program Files(x68) > Cisco > Cisco AnyConnect Profile Editor > Web Security Profile Editor.
- Hosted Config XML on Scancentre portal
Complete configuration guide: CWS AnyConnect Web Security Deployment Guide
Here is a configuration sample to modify the AnyConnect with Profile Editor (applicable to Windows only)
Host Exceptions:
*.opendns.com
Static Exceptions:
67.215.64.0/19
204.194.232.0/21
208.67.216.0/21
208.69.32.0/21
185.60.84.0/22
146.112.0.0/16
155.190.0.0/16
Last but not least, review this article: Using Umbrella with an HTTP proxy