[c-nsp] Cisco ScanSafe, aka Cisco Cloud Web Security

Fri Dec 6 12:54:42 EST 2013

you have a couple options.

option one, you can use the browser proxy via GPO or what ever, but this
limit's you to a single Tower (it's still a cluster setup, but if that DC
goes down, your still up a creek).

option two is that you install the Cisco Anyconnect Client (Web security
part, there is the VPN part, and some posturing parts two, but you just
need the base and the web security).  This Allows the client to check in
with all of the towers and pick the fastest response.  And there are towers
in a lot of different countries so if your users travel, it will pick the
closest, typically.  Thou we did have an issue where we picked a Canada
West coast rather than a US west coast..

YMMV

Scott

On Fri, Dec 6, 2013 at 7:39 AM, Eugeniu Patrascu <eugen at imacandi.net> wrote:

> Aha, so the client determines that "hey, you need to authenticate to this
> portal first" and then is business as usual. This makes complete sense.
>
> From the discussion I was under the impression that there is no client
> installed on the machine and you push browser proxy settings through GPO
> and that's it, hence my dilemma.
>
> Regads,
> Eugeniu
>
>
> On Fri, Dec 6, 2013 at 4:51 PM, Scott Voll <svoll.voip at gmail.com> wrote:
>
>> Accept the terms of the captive portal, then all your connections go to
>> CCWS after that.  The anyconnect client is smart enough to not push the
>> traffic until it has a internet connection.  I guess unless you put it into
>> a closed state.  we have it open so that when they are out of the office
>> they can go through the portal, then be proxied.
>>
>> Hope I understood that correctly.
>>
>> Scott
>>
>>
>>
>> On Thu, Dec 5, 2013 at 11:14 PM, Eugeniu Patrascu <eugen at imacandi.net>wrote:
>>
>>> Hi,
>>>
>>> How do you handle captive portals in hotels and other venues where you
>>> first have to login into the portal and then have Internet access ?
>>>
>>> This is my biggest woe right now in this regards with any kind of proxy
>>> settings I can push to users.
>>>
>>> Thanks,
>>> Eugeniu
>>>
>>>
>>> On Thu, Dec 5, 2013 at 10:05 PM, Scott Voll <svoll.voip at gmail.com>wrote:
>>>
>>>> We currently use CCWS (previously ScanSafe) with the Anyconnect client.
>>>>  Nice solution.  Whether your in the office or remoting from a
>>>> Starbucks,
>>>> the traffic is always proxied.  We went with the solution because of a
>>>> couple reasons:
>>>>
>>>> 1. with multiple egress points on the corporate network, we didn't want
>>>> to
>>>> be down if we lost a proxy server.
>>>>
>>>> 2. corporate laptops whether in the office or at Starbucks would still
>>>> be
>>>> proxied.  This helps limit our virus and malware infections.  and
>>>> provides
>>>> HR reports.
>>>>
>>>> 3 split tunneling would be an option because the traffic doesn't have to
>>>> come back to your internal proxy.
>>>>
>>>> 4. our remote home office bandwidth is very limited, so using the cloud
>>>> it
>>>> provided for better use of that bandwidth.
>>>>
>>>> all and all it's a good solution.  I'm not going to tell you that we
>>>> have
>>>> not had any issues, but with any new solution, there will be a couple
>>>> bruises along the way.
>>>>
>>>> YMMV
>>>>
>>>> Scott
>>>>
>>>>
>>>>
>>>> On Wed, Dec 4, 2013 at 7:53 AM, Herro91 <herro91 at gmail.com> wrote:
>>>>
>>>> > Hi,
>>>> >
>>>> > I'm doing some research on the Cisco Cloud Web Security offering, also
>>>> > known as ScanSafe.
>>>> >
>>>> > Has anyone on the lists explored Cisco's ScanSafe SaaS offering, now
>>>> called
>>>> > Cisco Cloud Web Security - as a means of providing protection in the
>>>> cloud
>>>> > that would potentially negate the requirement to have a full tunnel
>>>> (i.e.
>>>> > allow split tunneling) for teleworkers?
>>>> >
>>>> >
>>>> > Thanks!
>>>> >
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>
>>>
>>
>