Third party content filtering software integration with Cisco ASA

I have several locations with Cisco ASA 5540's.  I want to install a 3rd party content filtering software, (or if there is a cloud-based solution I am fine with that also), to provide web content filtering and management.  (Something like Websense-Triton, but not quite as expensive, and something I can deploy in a centralized location).

I want to be able to have the SAME kind of functionality for my Cisco ASA's as Sonicwall does for their NSA line of products.  (I know that Sonicwall's have internal content filtering).

Can someone provide me a list of options for this?

Thank you,
Jeff
jgrammer42Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NinjaStyle82Systems AdministratorCommented:
there are many ways to implement a content filtering solution. usually online is always an option and is independent of the ASA. there is usually also the option of WCCP redirection from the ASA to the filter. I have used ASA with websense, smoothwall, ironport, and used WCCP.
NinjaStyle82Systems AdministratorCommented:
*inline not online. on my phone. :)
jgrammer42Author Commented:
NinjaStyle82

I very much like the idea of a cloud-based web content filter.  That way I can have centralized management for the various branch locations.

 Can you provide me with a few possible solutions that would work for ASA's that have various IOS versions from 8.2 and up?

Thank you,
Jeff
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

NinjaStyle82Systems AdministratorCommented:
if you want to go entirely cloud based you will likely need to do a client side proxy/pac configuration. it should work independently of the ASA. I would talk with a vendor to get options. Websense offers cloud only and hybrid solutions, as does smoothwall and many others. they should give you a good idea of how the implementation will work, most likely the ASA will not be an obstacle.
NinjaStyle82Systems AdministratorCommented:
i should be more clear. proxy/pac on the client as opposed to if it was an on premises solution, you could transparently proxy clients.
jgrammer42Author Commented:
NinjaStyle82,

Please forgive me for being dense.  I am having a hard time visualizing what you are referring to.  Are you saying that I should look at a solution where there is a client software installed on the PC and that then talks to a cloud based content filtering service?  (Essentially then the ASA is not doing anything than acting as a router for HTTP:80 traffic.

Thank you,
Jeff
NinjaStyle82Systems AdministratorCommented:
Usually an on premises content filter like websense has an appliance (usually a Linux based server) that you proxy traffic through. There are a few ways to send the traffic to the appliance. One is using explicit proxy where you set client proxy settings or automatic configuration settings to tell it that it needs to connect through your filter.

The other way is a transparent proxy which can be set up a few ways like inline or WCCP. When it is inline the appliance is directly connected to your internal network on one interface, and your ASA on another interface. Since all traffic is forced through the appliance, it can do filtering without explicit client settings.

Another common method is WCCP which you would set up on your ASA. Basically it will have a rule saying 80 and 443 traffic will be redirected to the appliance, and only data to the appliance can pass.

Usually if you are using a cloud filter you need some form of explicit proxy for it to work. Sometimes there may also be an agent on the client that is doing the proxying.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jgrammer42Author Commented:
Excellent help and information.  thank you very much!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.