web security appliance and identity services engine ... · the external restful api service (ers)...

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. of 33

Web Security Appliance and Identity Services Engine Integration

Guide


Contents

About this document ............................................................................................................................................... 3

Prerequisites ............................................................................................................................................................ 4

Enable pxGrid on ISE .............................................................................................................................................. 4

Enabling ERS (ISE) .................................................................................................................................................. 6

Joining the domain (ISE) ......................................................................................................................................... 7

CA-signed certificates ............................................................................................................................................. 9

Creating the pxGrid certificate template (AD) ....................................................................................................... 9

Import trusted root certificate (ISE)...................................................................................................................... 13

Import trusted root certificate (WSA) ................................................................................................................... 14

pxGrid certificate creation (ISE) ........................................................................................................................... 14

ERS certificate creation (ISE) ............................................................................................................................... 17

pxGrid certificate creation (WSA) ......................................................................................................................... 17

Configure ERS on WSA and test connectivity .................................................................................................... 20

Self-signed certificates .......................................................................................................................................... 22

pxGrid certificate creation (WSA) ......................................................................................................................... 22

Testing connectivity to pxGrid and ERS .............................................................................................................. 23

WSA policy configuration ..................................................................................................................................... 24

Identification profile ............................................................................................................................................... 25

Decryption policy ................................................................................................................................................... 25

Access policy ......................................................................................................................................................... 27

Verification ............................................................................................................................................................. 30

Conclusion ............................................................................................................................................................. 33


About this document

This document is for Cisco engineers and customers who will deploy the Cisco® Identity Services Engine (ISE) and

Cisco Web Security Appliance (WSA) in their environments and wish to integrate the two solutions. ISE provides

authentication, authorization, and accounting services for domain, local, and guest users and serves as an

important source of information regarding the active users and devices in an environment. Enhancements to the

WSA allow administrators to further leverage this information to enrich their policy configuration and enforcement.

This document covers:

● ISE domain configuration

● Deployment using certificates signed by a certificate authority

● Deployment using self-signed certificates

● WSA policy configuration using security group tags and ISE group information


Prerequisites

Before beginning with this guide, a few basic configuration steps must be completed on the WSA as well as on the

ISE. Basic network settings must be in place on both appliances (IP address, gateway, Domain Name System

[DNS] and Network Time Protocol [NTP] servers), as well as any required licenses installed. The System Setup

Wizard should be completed on the WSA, and all available patches should be installed on ISE. The HTTPS proxy

should also be enabled and configured on the WSA in order to complete the steps that involve decryption policies.

The versions used in this guide are as follows:

WSA: 11.7.0

ISE: 2.4.0.357 Patch 4

Windows Server: 2016 Standard

Enable pxGrid on ISE

The ISE Platform Exchange Grid (pxGrid) service is disabled by default. To enable this service, navigate to

Administration > Deployment. Select the desired ISE node and click Edit. Check the box next to pxGrid and

click Save.


The status of the pxGrid service can be checked using the show app status ise Command-Line Interface (CLI)

command:

ise/admin# show app status ise

ISE PROCESS NAME STATE PROCESS ID

--------------------------------------------------------------------

Database Listener running 14838

Database Server running 67 PROCESSES

Application Server running 20663

Profiler Database running 16320

ISE Indexing Engine running 23291

AD Connector running 24386

M&T Session Database running 16130

M&T Log Collector running 20943

M&T Log Processor running 20840

Certificate Authority Service running 24136

EST Service running 4772

SXP Engine Service disabled

Docker Daemon running 17044

TC-NAC Service disabled

Wifi Setup Helper Container disabled

pxGrid Infrastructure Service running 6297

pxGrid Publisher Subscriber Service running 6496

pxGrid Connection Manager running 6453

pxGrid Controller running 6532

PassiveID WMI Service disabled

PassiveID Syslog Service disabled

PassiveID API Service disabled

PassiveID Agent Service disabled

PassiveID Endpoint Service disabled

PassiveID SPAN Service disabled

DHCP Server (dhcpd) disabled

DNS Server (named) disabled

ISE RabbitMQ Container running 17497


Enabling ERS (ISE)

The External RESTful API Service (ERS) is an API that can be queried by the WSA for group information. The

ERS service is disabled by default on ISE. Once it is enabled, clients may query the API if they authenticate as

members of the ERS Admin group on the ISE node. To enable the service on ISE and add an account to the

correct group, follow these steps:

1. Navigate to Administration > System > Settings.

2. On the left pane, click ERS Settings.

3. Select the option Enable ERS for Read/Write.

4. Click Save and confirm with OK.

5. Navigate to Administration > System > Admin Access.

6. In the left pane, expand Administrators and click Admin Users.

7. Click Add and select Admin User from the drop-down.


8. Enter a username and password in the appropriate fields.

9. In the Admin Groups field, use the drop-down to select ERS Admin.

10. Click Submit.

Joining the domain (ISE)

ISE will need to be domain joined in order to authenticate users and provide group information to the WSA. Follow

these steps to join the domain and add groups:

1. Navigate to Administrator > Identity Management > External Identity Groups.


2. In the left pane, click on Active Directory, and in the center pane, click Add.

3. Provide a name for the join point and the domain to be joined.

4. Confirm and provide credentials with permission to join the domain.

5. Verify that the domain is shown as Operational.

6. Navigate to the Groups tab and click Add > Select Groups From Directory.

7. Provide a filter for the desired group and click Retrieve Groups.

8. Check the box next to the desired group and click OK.

9. Click Save.


CA-signed certificates

Certificates are central to all communication between the WSA and ISE. The pxGrid service is mutually

authenticated using both a client and server certificate, and the ERS service is authenticated using a server

certificate. In most cases, an administrator will have certificate authority in their local domain that is integrated with

Active Directory (AD). This section will provide steps for configuring the required certificate template for pxGrid in

Windows Server 2016, as well as generating and signing the certificate signing requests.

Note: If the intention is to use the built-in certificate authority provided by the ISE node, the administrator should

proceed to the next section.

Creating the pxGrid certificate template (AD)

A template must be specified when issuing a certificate from a certificate authority. The template to be used in

signing the pxGrid certificates must include both Client Authentication and Server Authentication key usage

parameters. The simplest way to create a template with the required parameters is to copy the built-in User

template and alter the properties to fit the requirements of pxGrid. To do this using Active Directory certificate

authority, follow these steps:

1. Using the Certificate Authority snap-in, click on Certificate Templates.

2. In the center pane, right-click and select Manage.


3. In the center pane, right-click on the User template and click Duplicate Template.

4. In the General tab, change the name to pxGrid or any other unique name.


5. On the Request Handling tab, uncheck Allow public key to be exported.

6. On the Extensions tab, click on Application Policies and click on Edit.

7. Click Add and add Server Authentication to the list of policies.

8. Remove any other application policies except for Server Authentication and Client Authentication.


9. On the Subject Name tab, select Supply in the request.

10. Save and close the template.

11. In the Certificate Templates snap-in, right-click and select New > Certificate Template to Issue.


12. Click the new pxGrid template and click OK.

To sign the Certificate Signing Request (CSR) with the new template, save the CSR in a directory that is

accessible by the signing server and use the certreq.exe utility to sign it and save the resulting certificate. In

the following example, the CSR is located at Z:\Certs\isepxGrid.csr:

certreq.exe -submit -attrib certificatetemplate:pxgrid Z:\Certs\isepxGrid.csr

Import trusted root certificate (ISE)

The root certificate and any intermediate certificates must also be trusted by ISE in order to complete the trust

chain. Follow these steps to install the root Certificate Authority (CA) certificate in the ISE Trusted Root Authorities

Store:

1. Navigate to Administration > System > Certificates.

2. In the left pane, click Trusted Certificates.

3. In the center pane, click Import.

4. Click Browse to locate the CA certificate file in PEM format.

5. Optionally enter a Friendly Name to identify the certificate.

6. Ensure that both Trust for authentication with ISE and Trust for client authentication and Syslog are

checked.

7. Click Submit.


Import trusted root certificate (WSA)

If the integration design uses an internal certificate authority as the root of trust for the connection between the

WSA and ISE, than this root certificate must be installed on both appliances. Follow these steps to install the root

CA certificate in the WSA Trusted Root Authorities Store:

1. Navigate to Network > Certificate Management > Manage Trusted Root Certificates.

2. Click on Import.

3. Use Browse to locate the certificate (in PEM format) and click Submit.

Note: If any intermediate certificates are present between the root CA and the certificates issued to clients, they

must also be uploaded here.

4. Submit and Commit changes.

pxGrid certificate creation (ISE)

The pxGrid service utilizes client-side certificates for mutual authentication. Next, the client-side certificates will

need to be generated and signed by the root CA. To generate the key pair and certificate signing request on ISE,

follow these steps:


2. In the left pane, click on Certificate Signing Requests.

3. In the center pane, click on Generate Certificate Signing Requests (CSR).

4. In the Usage section, use the drop-down menu to select pxGrid.


5. In the Node(s) section, select the desired ISE node for pxGrid services.

6. Complete the certificate fields as required and select the desired key length.

7. Click Generate and Export.

To sign the CSR with the pxGrid template, save the CSR in a directory that is accessible by the signing server

and use the certreq.exe utility to sign it and save the resulting certificate. In the following example, the CSR is

located at Z:\Certs\isepxGrid.csr:

certreq.exe -submit -attrib certificatetemplate:pxgrid Z:\Certs\isepxGrid.csr

Follow the resulting prompts to save the certificate. To bind the certificate to the CSR in ISE, follow

these steps:


2. In the left pane, click on Certificate Signing Requests.

3. Select the CSR that was generated previously and click Bind Certificate.

4. Use Choose Certificate to locate the certificate file.

5. Optionally provide a Friendly Name.


6. Ensure that the Usage section specifies pxGrid.

7. Click Submit.

At this point, ISE should be using the CA-signed certificate for pxGrid communication. This can be confirmed by

navigating to Administration > System > Certificates and clicking on System Certificates in the left pane.


ERS certificate creation (ISE)

The ERS service is accessed over a Transport Layer Security (TLS) tunnel and is authenticated with a server-side

certificate. The ISE node will use the same Admin certificate that is used for its web management interface for

ERS. This certificate must also be trusted by the WSA. The process for generating this certificate is the same as

that documented in the previous section, with two important differences. The first difference is that Admin should

be selected in the Usage section.

The second difference is that the CSR should be signed using the built-in WebServer certificate template in

Windows Server:

certreq.exe -submit -attrib certificatetemplate:webserver Z:\Certs\iseAdmin.csr

pxGrid certificate creation (WSA)

In the WSA, the creation of the key pair and certificate for use by pxGrid is completed as part of the ISE services

configuration. To complete the configuration, follow these steps:

1. Navigate to Network > Identity Services Engine.

2. Click Enable and Edit Settings.

3. Enter the ISE server name in the Primary ISE pxGrid Node field.

4. Click Choose File in the ISE pxGrid Node Certificate section.


5. Locate the root CA certificate in PEM format and click Upload.

Note: A common misconfiguration is to upload the ISE pxGrid certificate in this section. The root CA certificate

must be uploaded to the ISE pxGrid Node Certificate field.

Note: In WSA 11.7, all references to the monitoring node have been removed from the ISE settings page. Any

previous references have also been removed from the CLI.

6. You may optionally configure a secondary pxGrid node on this page.

7. In the WSA Client Certificate section, select Use Generated Certificate and Key.

8. Click Generate New Certificate and Key and complete the required certificate fields.


9. Click Download Certificate Signing Request.

Note: At this point, it is a good idea to use the Submit button to commit the changes to the ISE configuration. If

the session is left to timeout before the changes are submitted, the keys and certificate that were generated will

be lost, even if the CSR was downloaded. Note that a Commit is not required, only a Submit.

To sign the CSR with the new template, save the CSR in a directory that is accessible by the signing server and

use the certreq.exe utility to sign it and save the resulting certificate. In the following example, the CSR is located

at Z:\Certs\wsapxGrid.csr:

certreq.exe -submit -attrib certificatetemplate:pxgrid Z:\Certs\wsapxGrid.csr

Follow the resulting prompts to save the certificate. To bind the certificate to the CSR in the WSA, follow these

steps:


2. Click Edit Settings.

3. In the WSA Client Certificate section, use the Choose File option to locate the file in PEM format.

4. Click Upload File.

5. Submit and Commit.


At this point, the WSA should be attempting to communicate with ISE over pxGrid. With default settings, pxGrid

clients must be manually approved. To manually approve the WSA as a pxGrid client, follow these steps:

1. Navigate to Administrator > pxGrid Services.

2. Check the box next to the WSA and choose click Approve.

3. Confirm by clicking OK.

Additionally, it is possible to allow all certificate-authenticated clients to be auto-approved by following these steps:

1. Navigate to Administrator > pxGrid Services > Settings.

2. Check the box for Automatically approve new certificate-based accounts.

3. Click Save.

4. Confirm by clicking Yes.

Note: The auto-approve setting cannot be set if there are pending clients. Approve any pending requests before

changing the setting.

Note: In WSA 11.7, there is no communication to the ISE management node. All communication occurs over

pxGrid and ERS.

Configure ERS on WSA and test connectivity



3. Check the box next to Enable External Restful Service (ERS).

4. In the ERS Administrator Credentials field, enter the user information that was configured on ISE.

5. If the node is the same as the pxGrid node, check the box for Server name same as ISE pxGrid Node.

Otherwise, enter the required information there.



The administrator can now test the connection from the WSA to ISE over both pxGrid and ERS. This test can be

run by navigating to Network > Identity Services Engine > Edit Settings and clicking on Start Test at the bottom

of the page. Successful output will resemble the following:

Checking DNS resolution of ISE pxGrid Node hostname(s)...

Success: Resolved 'ise.chclasen.lab' address: 192.168.0.200

Validating WSA client certificate...

Success: Certificate validation successful

Validating ISE pxGrid Node certificate(s)...

Success: Certificate validation successful

Checking connection to ISE pxGrid Node(s)...

Trying primary PxGrid server...

Preparing TLS connection...

Completed TLS handshake with PxGrid successfully.

Trying download user-sessions...

Failure: Failed to download user-sessions.

Trying download SGT...

Able to Download 17 SGTs.

Trying connecting to primary ERS service...

Trying download user-groups...

Able to Download 9 user-groups.

Success: Connection to ISE pxGrid Node was successful

Test completed successfully.

The status of the pxGrid and ERS connection as well as a list of Security Group Tags (SGTs) and groups that have

been pulled from ISE can be checked using the isedata CLI subcommands:

● STATISTICS - Show the ISE server status and ISE statistics.

● CACHE - Show the ISE cache or check an IP address.

● SGTS - Show the ISE Secure Group Tag (SGT) table.

● GROUPS - Show the ISE Groups table.


Self-signed certificates

If the administrator does not wish to use an in-house certificate authority, it is possible to complete the

configuration using the built-in self-signed certificate provided by ISE. This is done by leveraging the built-in

certificate authority on the ISE node. This section is not necessary if the previous section was used to install CA-

signed certificates.

pxGrid certificate creation (WSA)

The pxGrid service utilizes client-side certificates for mutual authentication. ISE provides a means to generate a

PKCS12 file that contains the ISE certificate chain, as well as the key pair and certificate to be used by the WSA

pxGrid client. To generate this file and extract the key and certificates, follow these steps:

1. On ISE, navigate to Administrator > pxGrid > Certificates.

2. In the I want to field, use the drop-down to choose Generate a single certificate (without a certificate

signing request).

3. Complete the certificate fields as required.

4. In the Certificate Download Format section, use the drop-down to choose PKCS12 Format.

5. Enter a password.

6. Unzip the archive file that is downloaded.

7. Use openSSL to extract the certificates and private key from the PKCS file (in the example, the file is

wsa2.p12).

Extract the ISE CA certificate chain:

openssl pkcs12 -in wsa2.p12 -cacerts -nokeys -out ise-ca.cer

Extract the WSA pxGrid certificate:

openssl pkcs12 -in wsa2.p12 -clcerts -nokeys -out wsa2.cer

Extract the WSA pxGrid private key:

openssl pkcs12 -in wsa2.p12 -nocerts -nodes -out wsa2.key


8. On the WSA, navigate to Network > Certificate Management > Manage Trusted Root Certificates.

9. Click on Import.

10. Use Browse to locate the ISE CA certificate chain and click Submit.



13. In the WSA Client Certificate section, use the Choose File options to locate the exported key and certificate.

14. Click Upload Files.


Note: In WSA 11.7, all references to the monitoring node have been removed from the ISE settings page. Any

previous references have also been removed from the CLI.

Testing connectivity to pxGrid and ERS

At this point, the WSA should be attempting to communicate with ISE over pxGrid. With default settings, pxGrid

clients must be manually approved. To manually approve the WSA as a pxGrid client, follow these steps:

1. Navigate to Administrator > pxGrid Services.

2. Check the box next to the WSA and click Approve.


3. Confirm by clicking OK.

Additionally, it is possible to allow all certificate-authenticated clients to be auto-approved by following these steps:

1. Navigate to Administrator > pxGrid Services > Settings.

2. Check the box for Automatically approve new certificate-based accounts.

3. Click Save.

4. Confirm by clicking Yes.

Note: The auto-approve setting cannot be set if there are pending clients. Approve any pending requests before

changing the setting.

Note: In WSA 11.7, there is no communication to the ISE management node. All communication occurs over

pxGrid and ERS.

WSA policy configuration

The WSA can use SGT information learned via the pxGrid connection to ISE as well as group information learned

using the ERS service in both decryption policies and access policies. Both criteria can be configured in a single

policy, but it is important to note that version of the WSA that was used in the creation of this guide (11.7.0) will

match on either SGT OR AD group. This is an important distinction because it represents a slight deviation in

policy matching as compared with previous versions. This is only applicable if both an SGT and an AD group are

configured in a policy.

The policy matching behavior is explained below, depending on what elements are configured (AD group, user,

or SGT):

AD groups and users: No change to previous behavior; the policy will be matched if the user is a member of

group, OR the user is specified in the policy.

SGT and AD groups and users: The policy will be matched if the user is associated with the SGT AND is a

member of the AD group, OR the user is specified in the policy.

SGT and users: The policy will be matched if the user is associated with the SGT OR the user is specified in

the policy.


Identification profile

In order to use security group tags or ISE group information in the WSA policies, an identification profile must first

be created that utilizes ISE as a means to transparently identify users. To create such a policy, follow the steps

below:

1. Navigate to Web Security Manager > Identification Profiles.

2. Click Add Identification Profile.

3. Name the profile appropriately.

4. In the Identification and Authentication section, use the drop-down to choose Transparently identify users

with ISE.


Decryption policy

Once the identification profile has been created, the decryption policies can be configured to use this profile and to

use SGT or group information. To configure a decryption policy to use those attributes, follow the steps below:

1. Navigate to Web Security Manager > Decryption Policies.

2. Click Add Policy.


4. In the Identification Profiles and Users section, use the drop-down to choose Select One or More

Identification Profiles.

5. In the Identification Profiles section, use the drop-down to choose the name of the ISE identification profile.


6. In the Authorized Users and Groups section, select the radio button next to Selected Groups and Users.

7. Click the hyperlink next to ISE Secure Group Tags.

Note: In instances where AD authentication is used in addition to transparent ISE authentication, there will be two

distinct types of groups that may be configured in a policy element. One will be named “Groups” and represents

AD groups that are obtained through the authentication realms configured on the WSA. The other will be named

“ISE Groups” and represents groups obtained from ISE.

8. In the Secure Group Tag Search section, check the box to the right of the desired SGT and click Add.


9. Click Done to return.

10. Click the hyperlink next to ISE Groups.

11. Highlight the desired group in the search pane and click Add.


13. Both the selected SGT and group will now be present in the policy.


Access policy

SGT and group information can also be employed in access policies. To configure an access policy to use those

attributes, follow the steps below:

1. Navigate to Web Security Manager > Access Policies.

2. Click Add Policy.


4. In the Identification Profiles and Users section, use the drop-down to choose Select One or More

Identification Profiles.


5. lick the hyperlink next to ISE Secure Group Tags.

Note: In instances where AD authentication is used in addition to transparent ISE authentication, there will be two

distinct types of groups that may be configured in a policy element. One will be named Groups and represents

AD groups that are obtained through the authentication realms configured on the WSA. The other will be named

ISE Groups and represents groups obtained from ISE.

6. In the Secure Group Tag Search section, check the box to the right of the desired SGT and click Add.



8. Click the hyperlink next to ISE Groups.

9. Highlight the desired group in the search pane and click Add.



11. Both the selected SGT and group will now be present in the policy.


Verification

In order to confirm that the configured policies have taken effect, the administrator may examine the access logs to

ensure that traffic is being matched accordingly. Additional custom fields can be added to this log to indicate group

membership and authentication method. In WSA 11.7, there is a new custom field (%X#11#) that denotes the SGT

associated with the user. The following table describes the three custom fields that are most relevant to ISE

authentication:

Format specifier in access logs Description

%g The groups associated with a transaction.

Example: “domain.lan/Domain Users”

%m The authentication mechanism used on the transaction.

Example: SSO_TUI

%X#11# The number representing the Security Group Tag associated with an authenticated user.

Example: 4

The full list of available custom fields is available in the WSA GUI at System Administration > Log

Subscriptions > accesslogs > Custom Fields Reference.

Example access log entry with both %g, %m, and %X#11# custom fields (highlighted):

1543519369.674 205 192.168.0.50 TCP_MISS/200 5258 GET http://www.blue.com/ "cisco"

DIRECT/www.blue.com text/html DEFAULT_CASE_12-DefaultGroup-ISE_Auth-NONE-NONE-NONE-

DefaultGroup-NONE <IW_pers,-3.0,1,"-",0,0,0,1,"-",-,-,-,"-",0,0,"-","-",-,-,IW_pers,-,"Unknown","Personal

Sites","-","Unknown","Unknown","-","-",205.19,0,-,"Unknown","-",-,"-",-,-,"-","-",-,-,"-",-> -

"chclasen.lab/Builtin/Users,chclasen.lab/Users/Domain Users" SSO_ISE 4

Information about the ISE engine in the WSA is found in the ise_service_log. When troubleshooting, it can be

useful to change the logging level for this log to debug.


The isedata CLI command provides various subcommands for verifying the status of the ISE connection as well

the state of the authentication cache. Below are examples of the output of these commands:

>isedata

Choose the operation you want to perform:

- STATISTICS - Show the ISE server status and ISE statistics.

- CACHE - Show the ISE cache or check an IP address.

- SGTS - Show the ISE Secure Group Tag (SGT) table.

- GROUPS - Show the ISE Groups table.

[]> statistics

PxGrid Connection Status: CONNECTED

PxGrid Hostname: ise.chclasen.lab

PxGrid Time of Connection: 2018-11-30T13:42:27.377060

ERS Connection Status: CONNECTED

ERS Hostname: ise.chclasen.lab:9060

ERS Time of Connection: 2018-11-29T16:23:50.302516

Session Bulk Download: 1

Group Bulk Download: 1

SGT Bulk Download: 18

Session Update: 0

Group Update: 0

Memory Allocation: 105

Memory Deallocation: 34






[]> cache


- SHOW - Show the ISE ID cache.

- CHECKIP - Query the local ISE cache for an IP address

[]> show

IP Name SGT#

192.168.10.50 cisco 4


- SHOW - Show the ISE ID cache.

- CHECKIP - Query the local ISE cache for an IP address

[]>







[]> sgts

SGT# SGT Name SGT Description

65535 ANY Any Security Group

13 Test_Servers Test Servers Security Group

3 Network_Services Network Services Security Group

7 Production_Users Production User Security Group

10 Point_of_Sale_Systems Point of Sale Security Group

11 Production_Servers Production Servers Security Group

8 Developers Developer Security Group

12 Development_Servers Development Servers Security Group

4 Employees Employee Security Group

15 BYOD BYOD Security Group

5 Contractors Contractor Security Group

255 Quarantined_Systems Quarantine Security Group

9 Auditors Auditor Security Group

2 TrustSec_Devices TrustSec Devices Security Group

0 Unknown Unknown Security Group

14 PCI_Servers PCI Servers Security Group

6 Guests Guest Security Group

16 Windows10






[]>groups

GROUPS#

chclasen.lab/Users/Domain Users

chclasen.lab/Users/Contractors

GuestType_Weekly (default)

OWN_ACCOUNTS (default)

GROUP_ACCOUNTS (default)

GuestType_SocialLogin (default)

Employee


GuestType_Daily (default)

GuestType_Contractor (default)

ALL_ACCOUNTS (default)

Conclusion

The Cisco Identity Service Engine serves as a valuable tool for user authentication, authorization, and accounting.

Integrating ISE with the Cisco Web Security Appliance enables an administrator to leverage the wealth of user

identity information available over pxGrid and the ERS API to enrich their policy enforcement and reporting. This

guide has covered the basic configuration of both ISE and the WSA to allow for this exchange of information using

both CA-signed and self-signed certificates. It has also explained the basic WSA policy configuration and

verification steps required to leverage the integrated solution. The administrator should have all of the tools

required to confidently deploy the solution and configure the required policy elements to meet their needs.

Printed in USA C07-741637-00 01/19

web security appliance and identity services engine ... · the external restful api service (ers)...

Documents