Configuring Symantec WSS

To enable Aruba SD-Branch integration with WSS, the following steps are required:

Configuring Web Security Service for SD-Branch Integration

The Web Security Service is managed and configured through the UI or APIs Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software.. The configuration steps described in this section follow the UI-based workflows.

Before you begin, ensure that you are a registered user of the Web Security Service portal with administrative privileges.

The Web Security Service configuration includes the following steps:

Creating IPSec and IKE Crypto Profiles

Symantec Web Security Service supports the crypto profile that Aruba uses by default. For more information, see https://portal.threatpulse.com/docs/am/reference/ref-ike-proposals.htm.

Adding Branch Sites to WSS Datacenters

To allow Aruba branches to connect to WSS, you must add branch locations in WSS.

To add a branch site to WSS:

  1. Log in to the WSS portal.
  2. Go to Service > Network > Locations. The Locations page opens and displays a list of sites that are already configured and the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. connection status indicators for these sites.
  3. To add branch location, click + Add Location.
  4. In the FQDN IKEv2 Firewall section, enter the FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. address of the branch location and the pre-shared key.
  5. Click Save.

The following figure illustrates how to add a branch to WSS Datacenter.

Figure 1   Adding a Branch location to a WSS Datacenter

A screenshot of a cell phone

Description automatically generated

Configuring an Authentication Policy (Optional)

When traffic from the branch is sent over to WSS, traffic can be inspected transparently, or SAML Security Assertion Markup Language. SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. authentication can be used to leverage DLP and CASB services. If an authentication policy is configured, WSS identifies the user and device. Administrators can also use a software client on the device to authenticate a user.

If the users have installed Symantec root CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate and Branch Gateways forward HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. and HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. traffic, SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet. interception will be effective upon adding a branch location in WSS. However, you can configure custom authentication profile to enable role-based policies in WSS. For example, administrators can perform web isolation for all HR management and Finance employees and only perform web category filtering for IOT devices. Authentication can be performed by a software client, the Symantec Endpoint Client with or without SAML authentication.

For SAML authentication, the traffic through TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port 8443 must be routed through WSS as well, besides TCP 80 and TCP 443 ports.

To configure an authentication policy:

  1. In the WSS portal, go to Service > Authentication > Authentication Policy > Location Policy > Firewall/VPN Authentication.
  2. Configure an authentication profile.

The following figure shows an example for the authentication method configuration.

Figure 2  Authentication Policy

1. Click Save Rule.

Configuring Aruba Gateways for Integration with WSS

To enable Aruba Gateways to connect to WSS, the following configuration is required:

Configuring IPsec Tunnels to WSS

To configure an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel to WSS:

Prerequisites

To define a probe responder to measure the quality of the different tunnels going to the third-party service, you must create an IP-SLA profile and associate it to a NextHop. For more information, see Configuring IP-SLA Profiles.

  1. To configure a Branch Gateway group or Branch Gateway complete either one of these steps:
    • To select a gateway group:
      1. In the Aruba Central app, set the filter to a group that contains at least one Branch Gateway.

        The dashboard context for a group is displayed.

      2. Under Manage, click Devices > Gateways.

        A list of gateways is displayed in the List view.

      3. Click Config.

        The configuration page is displayed for the selected group.

    • To select a gateway:
      1. In the Aruba Central app, set the filter to Global or a group that contains at least one Branch Gateway.
      2. Under Manage, click Devices > Gateways.

        A list of gateways is displayed in the List view.

      3. Click a gateway under Device Name.

        The dashboard context for the gateway is displayed.

      4. Under Manage, click Device.

        The gateway device configuration page is displayed.

  2. Click VPN > Cloud Security.
  3. In the IPSec Maps section, click + to open the New IPSec map section.
  4. Select Symantec WSS as the cloud security provider from the drop-down list.
  5. Enter a name for the IPsec map. The allowed character limit is 128.
  6. Enter a priority number for the IPsec map within a range of 1 to 10,000. A priority value of 1 indicates the highest priority.
  7. Configure a transform set. Transform sets allow you to define a combination of security protocols and algorithms that you can apply to the IPsec traffic flow.

    To add a transform set:

    1. Click + under Transforms.
    2. From the available transforms set, select default-aes. The default-aes transform uses AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. 256 encryption with SHA1 Hash.
    3. Click Save Settings.
  8. Select one of the following options in Tunnel source based on your requirement. Select the Uplink VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to use for bringing up tunnels to WSS (in the case of Branch Gateway) or the source VLAN in the case of VPNCs.
    • VLAN—Select a VLAN from the VLAN drop-down list.
    • Uplink VLAN—Select an uplink VLAN from the Uplink VLAN drop-down list.

      Ensure that you assign different priorities for different uplinks in the next-hop list configuration.

  9. Select one of the following tunnel monitor probes:
  10. Enter one of the following Destination Types:

    • IP Address—If you selected this option, then specify an IP address.
    • FQDN—If you selected this option, then specify an FQDN value.

  11. In Probe destination, enter the probe destination.
    • If you selected IP address in Destination type, then specify an IP address.

    • If you selected FQDN in Destination type, then specify an FQDN value.

  12. Enter the FQDN of the tunnel source in the Source FQDN field. The source FQDN must match the FQDN configured on the WSS portal.

    The source FQDN is unique for each branch location.

  13. In the Tunnel destination IP field, specify the IP address of the branch location configured in WSS to which the tunnel will be established.
  14. Select one of the following options in the Representation type drop-down list:
    • Text-Based
    • Hex-Based
  15. In the IKE shared secret, field, enter the IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. pre-shared secret key that you configured on the WSS portal and retype the secret key to confirm.

    The following figure shows the sample configuration values:

    Figure 3  Symantec WSS Configuration

  16. Click Save Settings.

Configuring a Next-hop List

After configuring the tunnels, you can create a next-hop list to group the tunnels inside routing policies. For more information, see Configuring Policies for PBR.

When creating a next-hop list:

    Ensure that different priorities are assigned for the tunnels.

    Ensure that Preemptive failover is enabled.

    Figure 4  Creating a Next-hop list for Symantec WSS

Adding the Nexthop List to PBR Policy

After creating the next-hop list, you must add the next-hop list to a routing policy. For more information on adding a next-hop list to a global routing policy, see Configuring Policies for PBR.

In the example shown in the following figures, the routing policy sends all traffic to private subnets Subnet is the logical division of an IP network. (an alias representing 10.0.0.0/8 and 172.16.0.0/12) through the regular path, and all the web traffic to the WSS nodes, and the remaining traffic through the regular ISP Internet Service Provider. An ISP is an organization that provides services for accessing and using the Internet. lines.

Figure 5  Creating a Symantec WSS Alias for Web Ports

Figure 6  Routing Policies

Applying Policies to a Role or VLAN

After you configure a routing policy, apply it to a role or VLAN. For more information, see Applying Policies to Gateway Interfaces.

Verifying Tunnel Status

  1. To view the tunnel status on a gateway:
    • In the Aruba Central app, use the filter to select the gateway.
    • Under Manage, click Overview.
  2. Click Tunnels.

For more information, see Gateway > WAN > Tunnels.