User Guide
Table Of Contents
Cisco AnyConnect Secure Mobility Solution Guide
Supported Architectures
12
Cisco AnyConnect Secure Mobility Solution Guide
Architecture Scenario 3, Explicit Forward Proxy
Figure 3 illustrates the architecture described in this section.
Figure 3 Explicit Mode Policy Enforcement
In the deployment scenario depicted in Figure 3, client web traffic is configured
to explicitly use the WSA for web traffic instead of the web traffic being
transparently redirected to the WSA. Client applications, such as web browsers,
are configured to explicitly use the WSA as a proxy server (
address:
192.168.1.2, port: 80/443
). This is different than the deployments described
in
Figure 1 and Figure 2, where a WCCP router transparently redirects web traffic
to the WSA, and the clients are unaware their web traffic is going through a proxy
server.
Note Browser proxy settings can either be defined manually by the end user or
dynamically by the ASA during VPN establishment. You can use the Adaptive
Security Device Manager (ASDM) to configure dynamic proxy configuration
settings under Configuration > Remote Access VPN > Network (Client) Access >
Group Policies > Group Name > Edit > Advanced > Browser Proxy in the
predefined internal Group Policy on the ASA.
Both web and non-web traffic is forwarded to the ASA over the VPN session.
However, web traffic is explicitly sent to the WSA as defined in the browser proxy
settings, and non-web traffic is routed based on the routing table of the ASA.