browse
Overview
The Umbrella SIG supports the proxy chain and can handle all the HTTP/HTTPs requests from the downstream proxy server. This is a comprehensive guide to implement the proxy chain between Cisco Secure Web Appliance (formerly Cisco WSA) and the Umbrella Secure Web Gateway (SWG), including the configuration for both Secure Web Appliance and SWG.
Secure Web Appliance Policy Configuration
1. Configure the SWG HTTP and HTTPs links as the Upstream Proxy via Network>Upstream Proxy.
2. Create a bypass policy via Web Security Manager>Routing Policy to route all suggested URLs to the internet directly. All bypassed URLs can be found in our documentation: Cisco Umbrella SIG User Guide: Manage Proxy Chaining
- Start by creating a new "Custom Category" by navigating to Web Security Manager>Custom and External URL Categories as shown below. The bypass policy is based on the "Custom Category."
- Next, create a new bypass routing policy by navigating to Web Security Manager>Routing Policy. Please make sure this policy is the first one as Secure Web Appliance matches the policy based on the policy order.
3. Create a new routing policy for all HTTP requests.
- In the Secure Web Appliance routing policy member definition, the protocol options are HTTP, FTP over HTTP, Native FTP, and "All others" while "All Identification Profiles" are selected. Since there is no option for HTTPs, create the routing policy for HTTPs request individually after implementing this routing policy for all HTTP requests.
4. Create the routing policy for HTTPs requests based on the "Identification Profile." Please be careful with the sequence of the defined "Identification Profile," since the Secure Web Appliance will match the "Identification" for the first match. In this example, the Identification Profile "win2k8" is an internal IP based identity.
5. Final configurations for the Secure Web Appliance Routing Policies.
- Please keep in mind that Secure Web Appliance evaluates the identities and access policies using a "top down" rule processing approach. This means that the first match made at any point in the processing results in the action taken by Secure Web Appliance.
- Additionally, identities are evaluated first. Once a client's access matches a specific identity, Secure Web Appliance checks all access policies that are configured to use the identity that matches the client's access.
Secure Web Appliance Configurations
1. X-Forwarded-For Header
- The "X-Forwarded-For" header needs to be enabled in Secure Web Appliance via Security Services > Proxy Settings in order to implement the internal IP based Web Policy in SWG.
2. Trusted Root Certificate for HTTPs decryption.
- "Cisco Root Certificate," downloaded from the Umbrella dashboard> Deployments> Configuration, needs to be imported into the Secure Web Appliance trusted root certificates if the HTTPs decryption is enabled at Web Policy in the Umbrella dashboard.
- The end-user will receive an error similar to the following as shown in the example screenshot below if the "Cisco Root Certificate" hasn't been imported to the Secure Web Appliance while the HTTPs decryption is enabled at SWG Web Policy:
- "Oops. (browser) can't load this page for some reason. has a security policy called HTTP Strict Transport Security (HSTS), which means that (browser) can only connect to it securely. you can't add an exception to visit this site."
- "You are not securely connected to this site."
- Below is an example of the HTTPs decrypted by Umbrella SWG. The certificate is verified by the "Cisco Root Certificate" named "Cisco."
SWG Web Policy Configuration in Umbrella dashboard.
- SWG Web Policy based on internal IP.
- Please make sure the "X-Forwarded-For" Header is enabled in the Secure Web Appliance since SWG relies on that to identify the internal IP.
- Register the egress IP of the Secure Web Appliance in Deployment>Networks.
- Create an internal IP of the client machine in Deployment>Configuration>Internal Networks. Please select the registered Secure Web Appliance egress IP (Step 1) after ticking/selecting "Show Networks."
- Create a new Web Policy based on the internal IP created in Step 2 outlined above.
- Make sure the "Enable SAML" option is disabled in the Web Policy.
- SWG Web Policy based on AD user/group.
- Make sure all AD users and groups are provisioned to the Umbrella dashboard.
- Create a new web policy based on the registered egress IP of the Secure Web Appliance with the "Enable SAML" option enabled.
- Create another new web policy based on the AD user/group with the "Enable SAML" option disabled. Also need to place this web policy ahead of the Web Policy created at Step 2 shown above.