Link to home
Start Free TrialLog in
Avatar of Rick Goodman
Rick Goodman

asked on

Can I point traffic from a single subnet to Cisco Hosted Web Security on my Cisco ASA 5512X

I'm having issues with streaming media abuse on company iPhones while on our corporate LAN and need to find a solution to block them from that. However, they all use O365 on their iPhones so I can't just block them from Internet access completely.

My thought is to create a separate SSID on our Cisco WLC for their iPhones and configure our Cisco ASA 5512X to point only that particular subnet to our hosted Cisco Web Security service and let them get our General Users Block policy, which blocks streaming media.

Does anyone know if this is possible and, if so, how to set this up on the ASA?

Or any other ideas?
ASKER CERTIFIED SOLUTION
Avatar of William Miller
William Miller
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Rick Goodman
Rick Goodman

ASKER

I wouldn't say purchasing an appliance is completely out of the question but we're trying first to figure out a way to do it with what we already have. We looked at various appliances many years back but needed something that would provide web filtering for remote clients as well as clients in the office. So we went with a hosted solution, first it was Websense and then we eventually moved to ScanSafe, now Cisco's Hosted Web Security using the Cisco Mobile Security Client. It also filters by site, category, etc. But just not sure if that kind of set up is supported and, if it is, how to set it up. My hunch is we'll still need an appliance or  at least a server to do the filtering. But thanks for the reply.
Avatar of arnold
arnold
Flag of United States of America image
I do not understand why not restrict the allowed traffic from the phone vlan to only access o365 Lync services IPs.
Look at the sip hostname to which the phone needs acces, removing everything else. If the systems piggy back, make sure you have voice vlan and data on which the PC's and setup the voice vlan to allow access to the cloud PSTN provider and the lync o365...
That should resolve your issue.
SOLUTION
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Rick Goodman
Rick Goodman

ASKER

Sorry, but the scope has shifted a bit today. Our IT Director wants a NAC type solution, possibly one that has web filtering capabilities. He wants to make sure we don't allow any non company issued smart phones on the network as well as prevent company issued iPhones from streaming media while using our corporate network. I know I can set the NAC part up with MAC address filtering but that seems like a lot to manage as well as leaves holes if someone were to spoof a MAC address (albeit a unlikely situation). Anyone know of a decent solution for this? Obviously, this will likely involve an appliance of some sort.
Avatar of arnold
arnold
Flag of United States of America image
802.1x is a way to restrict access to authorized systems only.

You have to have the entire scope defined and then work your way through. Restricting Streaming over wifi, do you manage your company iphones using the apple provided enterprise management tools?
Avatar of Rick Goodman
Rick Goodman

ASKER

We're now heading down the path of either Cisco ISE or MAC Address Filtering. But thanks for the input everyone.