WEBVTT 0:00:02.520000 --> 0:00:07.640000 Welcome to this video on Cisco CWS connectors. 0:00:07.640000 --> 0:00:12.460000 This is going to be a real high-level introduction to connectors, so we're 0:00:12.460000 --> 0:00:15.300000 going to talk about what are connectors, so you're familiar with that 0:00:15.300000 --> 0:00:19.600000 term. And I'm going to give you just a brief overview of the four different 0:00:19.600000 --> 0:00:24.360000 types of ways you can connect to Cisco's cloud web service using connectors. 0:00:24.360000 --> 0:00:29.100000 You can have the ASA connector, a connector on a router, specifically 0:00:29.100000 --> 0:00:31.980000 an ISR G2 router. 0:00:31.980000 --> 0:00:36.340000 You can actually have the WSA itself redirect traffic to the cloud web 0:00:36.340000 --> 0:00:38.900000 security service. 0:00:38.900000 --> 0:00:42.780000 And also Cisco's AnyConnect software, which is downloadable onto actual 0:00:42.780000 --> 0:00:45.800000 end users and clients, can be a connector. 0:00:45.800000 --> 0:00:50.920000 So let's start by talking about what exactly is this thing called a connector. 0:00:50.920000 --> 0:00:55.940000 Well, connector is just a real fancy term for some software code that 0:00:55.940000 --> 0:01:00.780000 is embedded in various different types of Cisco devices that gives that 0:01:00.780000 --> 0:01:08.360000 device the ability to redirect traffic to Cisco's cloud web security service, 0:01:08.360000 --> 0:01:09.960000 their CWS service. 0:01:09.960000 --> 0:01:15.620000 So this traffic is redirected inside of HTTP headers. 0:01:15.620000 --> 0:01:20.580000 So the idea is that your HTTP or HTTPS traffic that's coming from the 0:01:20.580000 --> 0:01:27.740000 end user, laptop, PC, whatever it is, first hits some Cisco device that 0:01:27.740000 --> 0:01:30.620000 has this connector software embedded within it. 0:01:30.620000 --> 0:01:33.440000 And we'll see a little bit more about what those four devices are. 0:01:33.440000 --> 0:01:39.140000 Once that device gets it, it adds a new HTTP header to the front end, 0:01:39.140000 --> 0:01:43.220000 giving information about like, who's the user who originally sourced this 0:01:43.220000 --> 0:01:45.460000 device, this traffic? 0:01:45.460000 --> 0:01:48.120000 What device sourced this traffic? 0:01:48.120000 --> 0:01:53.540000 Information that CWS needs to specifically identify this flow of traffic 0:01:53.540000 --> 0:01:58.460000 from this particular user, and then it's redirected to the cloud where 0:01:58.460000 --> 0:02:02.320000 the CWS towers reside. 0:02:02.320000 --> 0:02:06.800000 So in other words, a connector is simply software embedded in a device 0:02:06.800000 --> 0:02:09.160000 that allows this redirection to happen. 0:02:09.160000 --> 0:02:13.900000 So if you buy a device that does not have a connector in it, that just 0:02:13.900000 --> 0:02:18.320000 simply means that you don't have the iOS CLI commands, or you don't have 0:02:18.320000 --> 0:02:23.700000 the GUI available to connect to the CWS service. 0:02:23.700000 --> 0:02:28.560000 So as I mentioned in the topic outline, there are four different types 0:02:28.560000 --> 0:02:30.720000 of connectors available to you. 0:02:30.720000 --> 0:02:34.980000 So if you have an ASA in your network and adaptive security appliance, 0:02:34.980000 --> 0:02:35.980000 you have a connector. 0:02:35.980000 --> 0:02:39.160000 The ASA comes with connector built into the software. 0:02:39.160000 --> 0:02:43.860000 If you have Cisco ISR G2 routers, and we'll talk about what specific models 0:02:43.860000 --> 0:02:48.060000 of routers those are, then you have within your software the ability to 0:02:48.060000 --> 0:02:51.460000 connect to the CWS service. 0:02:51.460000 --> 0:02:53.980000 You can even have a web security appliance. 0:02:53.980000 --> 0:02:57.620000 Now, off the top of my head, I'm not sure what the benefits are for this, 0:02:57.620000 --> 0:03:03.300000 because the WSA itself provides virtually all the exact same capabilities 0:03:03.300000 --> 0:03:09.540000 and functionality as the CWS service does, but you could have the WSA 0:03:09.540000 --> 0:03:14.040000 offload its information and redirect it to CWS. 0:03:14.040000 --> 0:03:17.100000 So the WSA has a connector built into it. 0:03:17.100000 --> 0:03:21.460000 Or you could do it right on the actual end user's laptop or PC itself 0:03:21.460000 --> 0:03:25.340000 using the Cisco AnyConnect Secure Mobility client. 0:03:25.340000 --> 0:03:28.460000 That has a web security module built into it also. 0:03:28.460000 --> 0:03:32.760000 So let's just see real here at a high level what these look like. 0:03:32.760000 --> 0:03:37.920000 So if you're using a Cisco ASA firewall, well that has a connector built 0:03:37.920000 --> 0:03:42.140000 into it so you can see here as a user browses to a website, that browsing 0:03:42.140000 --> 0:03:44.900000 session would be sent to the firewall. 0:03:44.900000 --> 0:03:49.760000 Normally, the firewall would just send it out to the destination website, 0:03:49.760000 --> 0:03:53.380000 but in this case the firewall with the connector will add those special 0:03:53.380000 --> 0:03:59.360000 extra HTTP and HTTPS headers to it and redirect that to the cloud web 0:03:59.360000 --> 0:04:03.140000 security service. 0:04:03.140000 --> 0:04:09.640000 So within the ASA to access that, you would start by going to the configuration 0:04:09.640000 --> 0:04:11.900000 section and going under device management. 0:04:11.900000 --> 0:04:16.640000 You can see right here there's a cloud web security section right there 0:04:16.640000 --> 0:04:18.880000 under device management. 0:04:18.880000 --> 0:04:23.200000 From there you would put in the fully qualified domain names of the various 0:04:23.200000 --> 0:04:27.660000 CWS tower locations that you want to point to as well as your license 0:04:27.660000 --> 0:04:31.160000 keys. That information would be in there as well. 0:04:31.160000 --> 0:04:38.180000 Now the next step of this is that you would have to tell your ASA what 0:04:38.180000 --> 0:04:43.240000 traffic will be redirected to the cloud web security service. 0:04:43.240000 --> 0:04:45.600000 So that's done right here. 0:04:45.600000 --> 0:04:49.100000 You can see under configuration and firewall. 0:04:49.100000 --> 0:04:51.920000 So under configuration firewall you're going to add a new service policy 0:04:51.920000 --> 0:04:56.820000 rule and you're going to tie this in with something called an inspect 0:04:56.820000 --> 0:05:01.040000 map. Not going to get into the details of that, but the inspect map will 0:05:01.040000 --> 0:05:08.140000 tie into this and this tells what types of data should be redirected to 0:05:08.140000 --> 0:05:15.700000 CWS. Now you can also use a router instead an ISR G2 router and you can 0:05:15.700000 --> 0:05:20.240000 see here under supported models you've got the 800 series, 1900, 2900 0:05:20.240000 --> 0:05:22.240000 and 3900 series. 0:05:22.240000 --> 0:05:26.860000 So when you have those you have the ability also to redirect the same 0:05:26.860000 --> 0:05:30.600000 thing. So this is the connector software built into the ISR G2. 0:05:30.600000 --> 0:05:33.260000 This gets fairly complicated in this particular case. 0:05:33.260000 --> 0:05:36.740000 I'm not going to go into all the details of these commands here, but I 0:05:36.740000 --> 0:05:40.300000 just want you to sort of walk away with the impression of how much work 0:05:40.300000 --> 0:05:42.860000 is involved to get this to happen. 0:05:42.860000 --> 0:05:46.200000 So first of all you have to configure something called a parameter map, 0:05:46.200000 --> 0:05:49.200000 which is where you point it to the various towers that you're interested 0:05:49.200000 --> 0:05:53.620000 in. Specify your license, your timeout, so on and so forth and then what 0:05:53.620000 --> 0:05:58.120000 interface will be used to redirect the traffic outbound. 0:05:58.120000 --> 0:06:00.760000 You could also configure a whitelist. 0:06:00.760000 --> 0:06:01.820000 What is a whitelist? 0:06:01.820000 --> 0:06:05.600000 A whitelist basically says okay if traffic matches this like in this particular 0:06:05.600000 --> 0:06:09.020000 case you might not understand everything in this whitelist, but you can 0:06:09.020000 --> 0:06:11.560000 see star.cisco.com. 0:06:11.560000 --> 0:06:15.520000 So in this example we're saying okay any traffic that comes in that's 0:06:15.520000 --> 0:06:20.740000 going into anything that ends with Cisco.com, let's whitelist that. 0:06:20.740000 --> 0:06:21.580000 What does that mean? 0:06:21.580000 --> 0:06:25.840000 That means don't send it to CWS, just send it directly to the destination 0:06:25.840000 --> 0:06:30.840000 website. That website is okay, it's safe, we don't need to inspect it, 0:06:30.840000 --> 0:06:32.160000 just send it on. 0:06:32.160000 --> 0:06:36.100000 So that's what a whitelist is, it's saying hey let's bypass Cisco CWS 0:06:36.100000 --> 0:06:39.540000 and just send it directly to the destination itself. 0:06:39.540000 --> 0:06:43.240000 So you could do that optionally if you wanted to. 0:06:43.240000 --> 0:06:50.800000 Or if you want to get really complex, you can actually go all the way 0:06:50.800000 --> 0:06:54.000000 down to the individual user authentication. 0:06:54.000000 --> 0:06:57.300000 Now this is clearly an optional step, but allows you to actually enforce 0:06:57.300000 --> 0:07:02.920000 unique per user policies and it gives you granular records about what 0:07:02.920000 --> 0:07:05.760000 users are using, what particular web traffic. 0:07:05.760000 --> 0:07:09.180000 So like in this particular case if you implement this, when the user opens 0:07:09.180000 --> 0:07:13.240000 their browser and their traffic is redirected to this ISR router, what 0:07:13.240000 --> 0:07:17.000000 they'll actually see is a dialog box asking for specific username and 0:07:17.000000 --> 0:07:20.260000 password that you've already given them in an email or something. 0:07:20.260000 --> 0:07:23.440000 Once they supply the correct credentials, they'll be authenticated by 0:07:23.440000 --> 0:07:27.860000 an LDAP server and then they'll be allowed to submit their web requests. 0:07:27.860000 --> 0:07:34.180000 And in this way, when you go onto the Cisco, the cloud web security site, 0:07:34.180000 --> 0:07:38.660000 you can actually see detailed granular information about your individual 0:07:38.660000 --> 0:07:43.860000 users and your company, what websites they attempted to go to, what websites 0:07:43.860000 --> 0:07:48.080000 were blocked either because it broke the acceptable use policy, or maybe 0:07:48.080000 --> 0:07:50.000000 the website was trying to download malware. 0:07:50.000000 --> 0:07:54.480000 So you can see here this gives you a clue that's very complicated to configure 0:07:54.480000 --> 0:07:59.120000 this, but from a network administration perspective, having that granular 0:07:59.120000 --> 0:08:02.720000 level of information could be really useful. 0:08:02.720000 --> 0:08:09.840000 Of course, the WSA itself, the web security appliance could be configured 0:08:09.840000 --> 0:08:15.320000 to use its connector software to redirect everything to the cloud web 0:08:15.320000 --> 0:08:21.140000 service. So you can see if you want to do that, here's an example within 0:08:21.140000 --> 0:08:25.980000 the initial setup of the WSA under appliance mode of operation. 0:08:25.980000 --> 0:08:31.300000 Instead of doing standard, you would select cloud web security connector. 0:08:31.300000 --> 0:08:36.060000 So you're basically here bypassing all the features that the WSA could 0:08:36.060000 --> 0:08:40.180000 provide to you locally and telling the WSA, hey, you're just basically 0:08:40.180000 --> 0:08:44.520000 going to be a box that's redirecting the traffic to a tower located in 0:08:44.520000 --> 0:08:48.840000 some data center across the cloud web. 0:08:48.840000 --> 0:08:52.600000 And here's another screenshot of where you're actually specifying what 0:08:52.600000 --> 0:08:56.400000 towers you want to use as your primary and your backup, and what do you 0:08:56.400000 --> 0:08:59.340000 want to have happen if failure happens, and you have two choices here. 0:08:59.340000 --> 0:09:04.580000 When a failure happens, failure being that, hey, the tower was inaccessible. 0:09:04.580000 --> 0:09:09.560000 Now this should rarely happen, but it is possible that when you're redirecting 0:09:09.560000 --> 0:09:13.360000 your traffic to the CWS service, that service is inaccessible. 0:09:13.360000 --> 0:09:16.460000 Maybe a route to it and the internet has been lost. 0:09:16.460000 --> 0:09:20.460000 Maybe the actual tower itself is down for maintenance or something should 0:09:20.460000 --> 0:09:24.240000 not happen, but in the event that you're trying to redirect something, 0:09:24.240000 --> 0:09:29.260000 whether using an ISR or using an ASA, or in this case, using the WSA as 0:09:29.260000 --> 0:09:34.420000 your connector, what happens to your traffic if it can't be redirected? 0:09:34.420000 --> 0:09:35.760000 You have two choices here. 0:09:35.760000 --> 0:09:39.400000 You can see you can either connect directly, which means just forward 0:09:39.400000 --> 0:09:43.000000 the traffic on. Let the traffic go on and we'll just forget about security 0:09:43.000000 --> 0:09:49.400000 for now, or you could say drop requests, which means until the CWS service 0:09:49.400000 --> 0:09:53.600000 is available, we're not going to let it through. 0:09:53.600000 --> 0:09:58.960000 And then lastly, you could actually implement this on the end users themselves 0:09:58.960000 --> 0:10:03.780000 if they download and use the Cisco AnyConnect client. 0:10:03.780000 --> 0:10:08.660000 So this has a built-in cloud connector and allows for split tunneling. 0:10:08.660000 --> 0:10:09.560000 What is split tunneling? 0:10:09.560000 --> 0:10:13.520000 Well, that means that you can configure this such that when the end user, 0:10:13.520000 --> 0:10:17.840000 regardless of where they are, whether it be in a coffee shop or at the 0:10:17.840000 --> 0:10:22.180000 HQ or working from home, when they're trying to get to intranet traffic, 0:10:22.180000 --> 0:10:26.880000 like their own company's websites, that traffic will go across a regular 0:10:26.880000 --> 0:10:30.260000 encrypted SSL tunnel back to corporate HQ. 0:10:30.260000 --> 0:10:37.460000 But they're trying to get to anything else, like CNN.com, FoxNews.com, 0:10:37.460000 --> 0:10:43.540000 Google, any internet traffic, that traffic will be redirected to the CWS 0:10:43.540000 --> 0:10:46.980000 service. That's what we mean by split tunneling. 0:10:46.980000 --> 0:10:50.980000 Now, the main takeaway from here is that this connector for AnyConnect 0:10:50.980000 --> 0:10:57.500000 is only applicable for Windows and Mac OS X. 0:10:57.500000 --> 0:11:02.180000 So for example, if your user has a tablet and maybe they've installed 0:11:02.180000 --> 0:11:07.120000 AnyConnect on their iPad or their Kindle Fire tablet or something like 0:11:07.120000 --> 0:11:11.200000 that, or on their smartphone, this connector is not available in that 0:11:11.200000 --> 0:11:12.420000 particular case. 0:11:12.420000 --> 0:11:14.080000 So that's the situation. 0:11:14.080000 --> 0:11:16.780000 What you're going to need to do is configure the tablet or the smartphone 0:11:16.780000 --> 0:11:22.220000 to create a VPN tunnel back to the remote office VPN server. 0:11:22.220000 --> 0:11:26.420000 So they're going to have an SSL or IPsec tunnel going directly to the 0:11:26.420000 --> 0:11:33.320000 corporate HQ, ASA, or whatever their closest remote access VPN endpoint 0:11:33.320000 --> 0:11:37.960000 is. Then once their traffic is dumped off there at the corporate headquarters 0:11:37.960000 --> 0:11:42.240000 or the remote office headquarters, then it can be redirected to a local 0:11:42.240000 --> 0:11:47.520000 WSA or redirected to an ISR G2, where then can be sent to the cloud web 0:11:47.520000 --> 0:11:49.060000 security service. 0:11:49.060000 --> 0:11:57.060000 So that concludes this introduction to Cisco CWS connectors. 0:11:57.060000 --> 0:11:57.740000 Thank you for watching.