Cisco Web Security Appliance (WSA) Async OS 14.1 introduces Cisco Umbrella Seamless Identity sharing. This can be used to authenticate end-users with the on-premise active directory, and forward the traffic and user identity to Cisco Umbrella when used in proxy chain mode. For more information see https://www.cisco.com/c/dam/en/us/products/se/2021/6/Collateral/swa-async-os.pdf.
You may employ proxy-chaining in your environment for easier migration or proxy transparency. To use proxy-chaining in conjunction with Umbrella SIG, first determine which anycast method is appropriate for your environment.
Note: Proxy chain traffic is only supported for Network deployments, and should not be sent through tunnels as features such as XFF are not supported.
Umbrella's secure web gateway (SWG) leverages anycast routing to ensure a connection to the best possible datacenter. Umbrella achieves this through one of the following methods:
- FQDN anycast (recommended)
- TCP anycast.
The difference between these methods is in how the anycast routing is performed.
FQDN anycast uses Umbrella DNS to discover the best datacenter to forward web traffic to and is the primary anycast method used across Umbrella. If Umbrella DNS can be used, and the on-premises proxy can use an FQDN-based URL to define the upstream proxy, then FQDN anycast should be used.
TCP anycast does not use Umbrella DNS, and therefore can be employed by on-premises proxies that require the upstream proxy to be defined as an IP address. TCP anycast is also appropriate for environments in which the on-premises proxy does not have DNS configured and all traffic forwarding decisions are made by IP address, offloading DNS lookups to the upstream proxy.
To configure your on-premises upstream proxy settings for FQDN anycast, use the following:
- HTTP upstream proxy = proxy.sig.umbrella.com:80
- HTTPS upstream proxy = proxy.sig.umbrella.com:443
To configure your on-premises upstream proxy setting for TCP anycast, use these settings:
- HTTP upstream proxy = 18.104.22.168:80
- HTTPS upstream proxy = 22.214.171.124:443
The following URLs must be routed directly to the internet and not forwarded to Umbrella:
ocsp.int-x3.letsencrypt.org isrg.trustid.ocsp.identrust.com *.cisco.com *.opendns.com *.umbrella.com (see following note) *.okta.com *.oktacdn.com *.pingidentity.com secure.aadcdn.microsoftonline-p.com
Note: In the case of
*.umbrella.com, however, there may be an exception. If you are using SAML,
gateway.id.swg.umbrella.com must be sent through the Umbrella proxy.
Make sure that you have configured a Network identity that matches the public IP of your on-premise proxy (NAT) IP address.
Updated about a month ago