Page 1
Cisco 11000 Series Secure Content Accelerator Configuration Guide April 2003 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: 78-13124-06...
Page 2
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures: •...
Page 3
Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.;...
C H A P T E R Product Overview Secure Content Accelerator Versions Installing the Hardware and Software C H A P T E R Site Requirements Required Tools and Equipment Shipment Contents Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 6
Using the Configuration Manager C H A P T E R Overview Configuration Security Passwords Access Lists Factory Default Reset Password Before You Begin Initiating a Management Session Serial Management and IP Address Assignment Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 7
Example: Generating a Certificate 4-24 Supporting SNMP 4-25 Example: Configuring SNMP 4-25 Supporting RIP 4-26 Example: Configuring RIP 4-26 Supporting Other Secure Protocols 4-27 Example: Configuring a Secure Mail Server 4-27 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 8
Example: Working with Syslogs 5-13 Example: Restricting Access using an Access List 5-14 Example: Reloading (Rebooting) the Appliance 5-17 Example: Setting an Enable Password 5-18 Example: Configuring SNMP 5-19 SSL Configuration Examples 5-22 Cisco 11000 Series Secure Content Accelerator Configuration Guide viii 78-13124-06...
Page 9
More Information 6-10 Specifications A P P E N D I X Electrical Specifications Environmental Specifications Physical Specifications Deployment Examples A P P E N D I X Single Device Load Balancing Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 10
Methods to Manage the Device Initiating a Management Session Serial Management and IP Address Assignment Telnet C-10 Command Listing C-10 Top Level Command Set C-31 Non-Privileged Command Set C-31 clear screen C-31 C-31 enable C-31 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 11
C-40 show ip name-server C-40 show ip routes C-41 show ip statistics C-41 show keepalive-monitor C-41 show log C-42 show memory C-42 show messages C-42 show netstat C-43 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 12
C-55 show ssl session-stats C-56 show ssl statistics C-58 show ssl tcp-tuning C-60 show syslog C-61 show system-resources C-61 show telnet C-62 show terminal C-62 show timezone C-62 show version C-63 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 13
C-71 copy running-configuration startup-configuration C-72 copy startup-configuration C-72 copy startup-configuration running-configuration C-73 copy to flash C-73 copy to running-configuration C-74 copy to startup-configuration C-74 disable C-75 erase running-configuration C-75 Cisco 11000 Series Secure Content Accelerator Configuration Guide xiii 78-13124-06...
Page 14
C-83 Configuration Command Set C-84 access-list C-84 clock C-85 C-86 exit C-86 finished C-86 help C-87 hostname C-87 interface C-88 ip address C-88 ip domain-name C-89 ip name-server C-89 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 22
Installing a Firmware Image (Xmodem) Extracting a Device Configuration Resetting the Environment to Factory Defaults Command Set D-11 ? (question mark) D-11 baud D-11 boot D-11 D-11 D-12 eaddr D-12 Cisco 11000 Series Secure Content Accelerator Configuration Guide xxii 78-13124-06...
Page 23
Troubleshooting the Hardware SSL Introduction A P P E N D I X Introduction to SSL Port Blocking Mechanism Before You Begin Using Existing Keys and Certificates Apache mod_SSL ApacheSSL Cisco 11000 Series Secure Content Accelerator Configuration Guide xxiii 78-13124-06...
Page 24
Cisco Secure Content Accelerator Management Regulatory Information A P P E N D I X Regulatory Standards Compliance Canadian Radio Frequency Emissions Statement FCC Class A CISPR 22 (EN 55022) Class A VCCI Cisco 11000 Series Secure Content Accelerator Configuration Guide xxiv 78-13124-06...
Page 25
Figure 5-14 Save Changes Button 5-17 Figure 5-15 Change Password Example 5-18 Figure 5-16 SNMP Configuration Example 5-19 Figure 5-17 SNMP Trap Example 5-20 Figure 5-18 Add SNMP Trap Host Example 5-21 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
About This Guide This guide can help you successfully install and configure the Cisco 11000 Series Secure Content Accelerators (SCA and SCA2). It also provides helpful troubleshooting suggestions for potential hardware and software problems. How to Use This Guide This section describes the contents of this guide.
Page 32
This appendix presents a short introduction to SSL and a description of how the components are used in configuration. Instructions for generating keys and certificates with OpenSSL is also included chapter. Cisco 11000 Series Secure Content Accelerator Configuration Guide xxxii 78-13124-06...
Page 33
(such as the command Courier text line interface) or is returned by the computer. indicates commands and text you enter in a command line. Courier bold text Cisco 11000 Series Secure Content Accelerator Configuration Guide xxxiii 78-13124-06...
Page 34
A bulleted list indicates that the order of the list topics is unimportant. • – An indented dashed list indicates that the order of the list topics is unimportant. Cisco 11000 Series Secure Content Accelerator Configuration Guide xxxiv 78-13124-06...
These sections explain how to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com...
About This Guide Obtaining Documentation You can order Cisco documentation in these ways: • Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace: http://www.cisco.com/en/US/partner/ordering/index.shtml • Registered Cisco.com users can order the Documentation CD-ROM...
Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world. Cisco.com provides a broad range of features and services to help you with these tasks: Streamline business processes and improve productivity •...
Page 38
If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL: http://www.cisco.com/en/US/support/index.html If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary files.
These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case. To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml...
Page 40
About This Guide Obtaining Additional Publications and Information iQ Magazine is the Cisco monthly periodical that provides business leaders • and decision makers with the latest information about the networking industry. You can access iQ Magazine at this URL: http://business.cisco.com/prod/tree.taf%3fasset_id=44699&public_view=tru e&kbns=1.html...
Page 41
C H A P T E R Overview This chapter describes the features and functions of the Secure Content Accelerator. This chapter contains the following sections: • Product Overview Secure Content Accelerator Versions • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Simply load your own certificate and key when they are available. The Cisco 11000 Series Secure Content Accelerator is compatible with all Cisco content switches—the Cisco LocalDirector, the Catalyst Content Switching Module, and the Cisco CSS 11000 Series Content Services Switches.
This chapter contains the following sections: Site Requirements • Shipment Contents • • Unpacking the Secure Content Accelerator Installing the Hardware • Panel Descriptions • • Connecting to Power Connecting to Ethernet • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
The Secure Content Accelerator can be placed on a flat surface as a free-standing unit or rack-mounted in an equipment cabinet. The following sections describe the steps to install the Secure Content Accelerator as a: Free-standing unit • Rack-mounted unit • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Position the Secure Content Accelerator on a level surface in an area with access to your network cabling. When installing the Secure Content Accelerator note that Ethernet and serial cables attach to the front of the chassis and power cables attach to the back. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
The front panel of the Secure Content Accelerator, shown in Figure 2-1, contains the following connectors, switches, and LEDs: Two DB9 serial ports, marked “AUX” and “CONSOLE” • • Two RJ-45 10/100 Ethernet interface ports, marked “SERVER” and “NETWORK” Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Two power switches • Figure 2-2 Secure Content Accelerator Rear Panel Figure 2-3 shows the LED layout of the SCA Ethernet ports. Table 2-1 describes the function of each LED on the SCA. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Figure 2-4 shows the LED layout of the SCA2 Ethernet ports. Table 2-2 describes the function of each LED on the device. Figure 2-4 SCA2 Ethernet Port Detail Reset Switch Test LED 100 ACT LNK Server 100 ACT LNK Network Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Plug the power cords into dedicated three-wire grounding receptacles. Switch the power switches to the 1 (on) position. Connect the power supplies to different circuits to further ensure Note appliance availability. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Connect the “Server” port to the servers (or to the “Network” port if using one-port mode). Check the LK LEDs for connection viability. If one or both LK LEDs are not lit, see Appendix E, Troubleshooting, for suggestions. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 54
Chapter 2 Installing the Hardware and Software Connecting to Ethernet Cisco 11000 Series Secure Content Accelerator Configuration Guide 2-10 78-13124-06...
This chapter contains the following sections: Before You Begin • Initiating a Management Session • • Starting the QuickStart Wizard Using the QuickStart Wizard • Using the QuickStart Wizard with a Configured Appliance • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Follow these steps to initiate a management session via a serial connection and set an IP address for the device. Note When configuring an SCA2 via a serial connection, the displayed prompt is “SCA2” unless a hostname has been defined for the device. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Telnet After you have assigned an IP address to the Cisco Secure Content Accelerator using the serial console CLI, you can connect to the appliance via telnet. Initiate a telnet session with the IP address previously assigned to the appliance.
Is the above information correct? (y/n): Enter y if the listing is correct. Go to “Using the QuickStart Wizard” below. Enter n if the information is incorrect. You are prompted for the configuration information again. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
(See Appendix F for a discussion of port blocking.) You can abort the current clear text port designation and enter a different TCP service port, or approve using TCP service port 80 for clear text. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 60
(_), hyphen (-), and period (.) characters. Key names must begin with an alphabetic character and have a limit of 15 characters. Enter the URL for a PEM encoded key file: Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 61
find or load the file, you receive an error message and are allowed to restart certificate assignment. After the certificate is properly loaded, configure a security policy as described below. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 62
RSA key size of 1024, exp ARC2_MD5, DES_SHA1, ARC4_SHA1, MD5, and SHA1 default-RSA key size of 1024, ARC4_MD5, ARC4_SHA1 and exp ARC4_MD5, ARC4_SHA1, ARC2_MD5 RSA key size of 512, exp ARC4_MD5, MD5, and SHA1 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 63
If the information is correct, type y. The logical secure server you have configured is created. If you type n, the server configuration process restarts using the current secure server. Would you like to use the QuickStart wizard to create another ssl-server? (y/n): Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 64
A summary screen shows information about the device, keys, certificates, security policies, and the logical secure servers configured on it. SCA myDevice Keys capacity 255, defined 3 ----------------------------------- Name ----------------------------------- default default-512 default-1024 Cisco 11000 Series Secure Content Accelerator Configuration Guide 3-10 78-13124-06...
Page 65
10.1.2.3:80 myCert *not set* Default Gateway: 10.1.14.1 The list of keys includes all those loaded into the device. The columns and their descriptions are shown in the table below. Cisco 11000 Series Secure Content Accelerator Configuration Guide 3-11 78-13124-06...
Page 66
The number of the security policy as loaded into the device RC (Reference The number of SSL servers using the security policy Count) PolicyList The names of the individual cryptographic schemes associated with each security policy Cisco 11000 Series Secure Content Accelerator Configuration Guide 3-12 78-13124-06...
Page 67
QuickStart wizard finishes. If you type n, the QuickStart wizard finishes. Caution If the configuration is not saved to flash memory, the configuration is lost during a power cycle or when the reload command is used. Cisco 11000 Series Secure Content Accelerator Configuration Guide 3-13 78-13124-06...
Using the QuickStart Wizard with a Configured Appliance Using the QuickStart Wizard with a Configured Appliance If you wish to run the QuickStart wizard for a previously configured Cisco Secure Content Accelerator, follow these steps: Initiate a management session and start the configuration manager as described previously.
Configuration mode, simply enter end or exit or press CTRL+D. The finished command returns to the Top Level from any mode. Appendix C lists all commands for SSL devices. Refer to Chapter 6 for FIPS Mode instructions. Note Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Passwords Cisco Secure Content Accelerator devices use two levels of password protection: access- and enable-level. Access-level passwords control who can access the device via telnet and serial connections. Enable-level passwords control who can view the same data available with access-level passwords as well as view sensitive data and configure the device.
The nature of the changes depends upon whether you are securing a previously unsecured site, or adding the SSL appliance to an already secure server installation. These changes are described in section “Web Site Changes” in Appendix B. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Enter Privileged and Configuration modes and set the IP address using the following commands. Replace the IP address in the example with the appropriate one. SCA> enable SCA# configure (config[SCA])# ip address 10.1.2.5 netmask 255.255.255.0 (config[SCA])# Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Telnet After you have assigned an IP address to the Cisco Secure Content Accelerator using the serial console CLI, you can connect to the appliance via telnet. Initiate a telnet session with the IP address previously assigned to the appliance.
Set an enable password to protect the appliance configuration. The password is requested whenever the enable command is given. Passwords are not echoed to the screen. Note (config[myDevice])# password enable Enter new password: Confirm password: (config[myDevice])# end SCAE Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Enter Certificate Configuration mode and create a certificate named myCert. Then load the PEM-encoded certificate file. Return to SSL Configuration Mode. (config-ssl[myDevice])# cert my create (config-ssl-cert[myCert])# pem certFile (config-ssl-cert[myCert])# end (config-ssl[myDevice])# Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 77
Then exit to Top Level mode. (config-ssl[myDevice])# server myServer create (config-ssl-server[myServer])# ip address 10.1.2.4 (config-ssl-server[myServer])# sslport 443 (config-ssl-server[myServer])# remoteport 81 (config-ssl-server[myServer])# key myKey (config-ssl-server[myServer])# cert myCert (config-ssl-server[myServer])# secpolicy myPol (config-ssl-server[myServer])# finished SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
(config-ssl-backend[myBackServ])# ip address Assign port 443 for SSL traffic and port 80 for clear text traffic. (config-ssl-backend[myBackServ])# localport 80 (config-ssl-backend[myBackServ])# remoteport 443 Specify a security policy for the server. (config-ssl-backend[myBackServ])# secpolicy strong Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-10 78-13124-06...
Assign port 8080 for clear text traffic. (config-ssl-rproxy[myRevServ])# localport 8080 Specify a security policy for the server. (config-ssl-rproxy[myRevServ])# secpolicy strong Note When using FIPS Mode only security policies configured for FIPS 140-2-compliant operation are available. Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-11 78-13124-06...
Enter Server Configuration mode for the server you wish to configure URL rewrites. (config-ssl[SCA])# server myServer (config-ssl-server[myServer])# The urlrewrite command uses the following syntax: urlrewrite <domainName> [sslport <portid>] [clearport <portid>] <redirectonly> Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-12 78-13124-06...
Page 81
A wildcard can be used to specify multiple SSL hosts in the same domain. (config-ssl-server[myServer])# urlrewrite *.mybusiness3.com sslport 443 clearport 81 Do not use *.com as a filter. The definition is too broad. Note Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-13 78-13124-06...
*.mybusiness3.com For more information about URL rewriting, contact your Cisco representative for a copy of the white paper SSL Offloaders and Contextual Consistency. Example: Configuring SNTP Servers Up to four SNTP servers can be configured on the Secure Content Accelerator.
Web management subsystems. An access list can be used by the SNMP subsystem as well. This example demonstrates how to create two access lists and assign each to a management subsystem. Enter Privileged and Configuration modes. SCA> enable SCA# configure (config[myDevice)# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-15 78-13124-06...
In the following example, the “Network” interface of myDevice is forced to full duplex. Make sure to save this configuration to flash. (config[myDevice])# interface network (config-if[network])# duplex full (config-if[network])# speed 100 (config-if[network])# finished SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-16 78-13124-06...
Use the same key object names previously used to reference the keys. Step-Up Certificates and Server-Gated Cryptography Cisco Secure Content Accelerator support both Netscape International Step-Up Certificates and Microsoft Server-Gated Cryptography. Ephemeral RSA must be enabled for the device to function properly with these certificates. Load the certificate normally.
CACertFile. The name of the PEM-encoded certificate generated by the intermediary CA is localCertFile. The name of the certificate group is CACertGroup. Initiate a management session as described previously. Enter Privileged and Configuration modes. SCA> enable SCA# configure (config[myDevice)# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-18 78-13124-06...
SCA# Example: Importing Certificate Groups PKCS#7 certificate groups can be imported directly into the device. This example demonstrates how to import a PEM-encoded PKCS#7 file into the Cisco Secure Content Accelerator. Initiate a management session as described previously. Enter Privileged and Configuration modes.
Initiate a management session as described previously. Enter Privileged and Configuration modes. SCA> enable SCA# configure (config[myDevice])# Enter SSL Configuration mode and Backend Server Configuration mode for the server myBackServ. (config[myDevice])# ssl (config-ssl[myDevice])# backend-server myBackServ (config-ssl-backend[myBackServ])# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-21 78-13124-06...
Page 90
Exit to Privileged mode, and save the configuration to flash memory. If it is not saved, the configuration is lost during a power cycle or when the reload command is used. (config-ssl-backend[myBackServ])# finished SCA# write flash SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-22 78-13124-06...
Exit to Privileged mode, and save the configuration to flash memory. If it is not saved, the configuration is lost during a power cycle or when the reload command is used. (config-ssl-server[myServ])# finished SCA# write flash SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-23 78-13124-06...
Using the HTTPS protocol ensures that your key is transmitted Note securely. Example: Generating a Certificate Enter Privileged, Configuration, and SSL Configuration modes. SCA> enable SCA# configure (config[myDevice])# ssl (config-ssl[myDevice])# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-24 78-13124-06...
Using the HTTPS protocol ensures that your certificate is Note transmitted securely. Supporting SNMP Cisco Secure Content Accelerator devices have basic support for SNMP functions. The device is shipped with SNMP disabled. This example demonstrates how to set basic SNMP data. Example: Configuring SNMP Initiate a management session as described previously.
SCA# write flash SCA# Supporting RIP Cisco Secure Content Accelerator devices support Routing Information Protocol (RIP) versions 1 and 2. This example demonstrates how to enable RIP version 1 packet usage. Example: Configuring RIP Initiate a management session as described previously.
Supporting Other Secure Protocols Supporting Other Secure Protocols Along with SSL, Cisco Secure Content Accelerator devices can support other secure protocols using TLS v1.0, SSL v2.0, and SSL v3.0. IMAPS, POP3S, NNTPS, and LDAPS are some examples. The steps below show how to configure the SSL appliance for setting up a secure server to process only POP3S (S-POP) mail.
In certain situations, you may want to disable individual SSL versions. The SCA allows you to enable or disable these on a version-by-version basis for individual servers. Initiate a management session as described previously. Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-28 78-13124-06...
(maxfailure), the virtual server is marked as “suspended”. When the hardware server comes back online, the keepalive messages discover the server and mark it “active” again. Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-29 78-13124-06...
Page 98
(config-ssl-server[myServer])# finished SCA# Save the configuration to flash memory. If not saved, the configuration is lost during a power cycle or when the reload command is used. SCA# write flash SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-30 78-13124-06...
(config[myDevice])# end SCA# Save the configuration to flash memory. If not saved, the configuration is lost during a power cycle or when the reload command is used. SCA# write flash SCA# Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-31 78-13124-06...
Page 100
Chapter 4 Using the Configuration Manager Setting the Idle-Timeout Cisco 11000 Series Secure Content Accelerator Configuration Guide 4-32 78-13124-06...
C H A P T E R Graphical User Interface Reference This chapter describes how to use the Graphical User Interface (GUI) to configure the Cisco Secure Content Accelerator. The GUI provides a convenient, Web browser-based method of configuring the Secure Content Accelerator. Note The GUI cannot be used to configure the Secure Content Accelerator...
CLI command. Web management status is shown in the returned listing as follows: Web Management: disabled Enter Privileged and Configuration modes and enable Web management using these commands: enable configure web-mgmt enable Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Figure 5-1. Use “admin” for the user name. If no enable password has been configured, the GUI starts at the General content area. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
The GUI is divided into two main parts: the area panel on the left and content tabs on the right. Figure 5-2 shows an example of this interface. Take a few moments to familiarize yourself with the screen layout. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
IP statistics, set DNS information • Log: Set syslog message hosts and clear and view the device message log Tools: Reboot the device, manage running and startup configurations, update • firmware, and run diagnostic commands Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Follow these steps to change the hostname of the device to myDevice. Click General to activate the General content tabs. Click the Settings tab. The Settings page opens, as shown in Figure 5-3 Type “myDevice” in the Device Name text box. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Type the new IP address information including the appropriate netmask and default router in the Internet Address, Netmask, and Gateway text boxes, respectively, on the Settings tab. The Settings page opens, as shown in Figure 5-4. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Click Network to activate the Network tabs. Use the list box in the Network Interface or Server Interface panel of the Settings tab to change the Ethernet interface settings. The Settings page is shown in Figure 5-5. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Click Update. Example: Adding a Route to the Routing Table Click Network to activate the Network tabs. Click the Route tab. The Route page opens, as shown in Figure 5-7. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-11 78-13124-06...
Scroll to the bottom of the page, if necessary, to see the Add Route button. Click Add Route. The Add Route window opens as shown in Figure 5-8. Figure 5-8 Adding a Route Example Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-12 78-13124-06...
Enter the appropriate port ID, and select the desired facility from the Facility drop-down list box. Click Update. Use the View Log tab to display the syslog and clear the syslogs. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-13 78-13124-06...
Click the Access Control Lists tab. The Access Control Lists page opens, as shown in Figure 5-10. Figure 5-10 Access List Configuration Example Click Add Access Entry. The Add Access Control List window opens, as shown in Figure 5-11. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-14 78-13124-06...
Appendix C for more information.) Click OK to create the access list entry and close the window. Click the Subsystem tab. The Subsystem page opens, as shown in Figure 5-12. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-15 78-13124-06...
Page 116
Type the number of the access list just created in the Access Control List Id text box of the Web Management panel. (You can also change the TCP port on this tab.) Click Update. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-16 78-13124-06...
Any changes you have made but have not saved are lost. Figure 5-14 Save Changes Button Click Reboot on the Restart page. The appliance reboots using the configuration stored in flash memory. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-17 78-13124-06...
Click Update to set the password. To remove an existing Enable password entirely, clear the Enable Note checkbox, type the existing password in the Old Password text box. Click Update. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-18 78-13124-06...
Click Update after changing the value in each field and selecting the Enabled check box. Click the Traps tab. The Traps page opens, as shown in Figure 5-17. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-19 78-13124-06...
Figure 5-17 SNMP Trap Example Click Add Trap Host to specify a host to which to send trapping messages. The Add Trap Host window opens, as shown in Figure 5-18. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-20 78-13124-06...
Threshold/Hysteresis Low text box. Additional information is presented in the online Help for Note this tab. Click Help in the top right corner of the window. Click Update to set the configuration. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-21 78-13124-06...
file, and paste it into the Paste Private Key Here text box on the Paste tab. For an example of key generation, see “ Example: Generating an RSA Private Key”.) Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-23 78-13124-06...
Next, load a certificate to assign to the secure server. In this example, a certificate is imported into the GUI. Click the Certificates tab. The Certificates page opens, as shown in Figure 5-22. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-24 78-13124-06...
Several security policies are pre-loaded into the Secure Content Accelerator. You can use any of these or create your own policy when configuring a server. This examples demonstrates how to create a user-defined security policy. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-27 78-13124-06...
CTRL+clicking the entries in the Security Policy Algorithms list box. Click OK to create the policy. Now, set up the secure server. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-29 78-13124-06...
Click the Secure Servers tab. The Secure Servers page opens, as shown in Figure 5-27. Figure 5-27 Secure Servers Tab Click Add Secure Server. The Add Secure Server window opens, as shown in Figure 5-28. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-30 78-13124-06...
If you wish to use a log server, enter the appropriate information in the Log Server IP text boxes. You can disable any of the SSL/TLS versions by clearing your choice in the SSL Version Support check boxes. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-31 78-13124-06...
(including wildcard, if appropriate) in the URL Clear-Text Port text box. Edit the port definitions, if necessary. Click Add, as shown in Figure 5-31, to define the URL rewrite rule. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-32 78-13124-06...
For more information, see the “Example: Configuring Secure URL Rewrite” section on page 4-12. Select the desired options in the Client Certificate Authentication panel, shown in Figure 5-32. Figure 5-32 Add Secure Server Information Example Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-33 78-13124-06...
Click OK to create the secure server on the Secure Content Accelerator. The same procedures are used to create and edit backend servers and reverse-proxy servers. Options presented in the window change, depending upon the type of server being configured. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-34 78-13124-06...
Certificate Group”, below, for a demonstration. Click SSL to activate the SSL tabs. Click the Certificate Groups tab. The Certificate Groups page is shown in Figure 5-35. Figure 5-35 Certificate Groups Tab Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-35 78-13124-06...
Either click Edit next to an existing secure server, or click Add Secure Server to create a new server. The appropriate secure server window opens. Locate the Server Certificate and Security Policy panel. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-36 78-13124-06...
Select strong from the Security Policy list box. Select default-1024 from the Certificate list box. Select default-1024 from the Private Key list box. These options are shown in Figure 5-38. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-37 78-13124-06...
Example: Generating an RSA Private Key This example demonstrates how to generate an RSA private key named myOwnKey. Click SSL to activate the SSL tabs. Click Add Private Key. The Add Private Key window opens. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-38 78-13124-06...
DES encryption and can be saved to a file. Display key using Des3 Encryption: The private key is displayed using • 3DES encryption and can be saved to a file. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-39 78-13124-06...
Encryption were selected, the key is generated and a window opens, displaying the encrypted key. This is shown in Figure 5-41. Click Download Encrypted Private Key to make a backup copy of the key, if desired. Click Close. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-40 78-13124-06...
Select the appropriate header from the CSR Header list box. Click OK. The certificate is created and the Generate Certificate Signing Request (CSR) opens, as shown in Figure 5-43. Figure 5-43 Generate Self-Signed Certificate Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-43 78-13124-06...
Click Self-sign this CSR to generate a self-signed digital certificate to be used for testing while you wait for the certificate to be signed. The Generate Self-signed Certificate window opens, as shown in Figure 5-44. Figure 5-44 Self-Signed Certificate Example Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-44 78-13124-06...
Select the encoding option for the file to import by clicking the appropriate Encoding option button. Either type the name and path of the PKCS#7 file to import, or click Browse and navigate to and select the file. Click OK. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-46 78-13124-06...
Type the key password in the Password text box. Either type the name and path of the PKCS#12 file to import, or click Browse and navigate to and select the file. Click OK. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-47 78-13124-06...
Follow the instructions and prompts in the wizard to configure the secure server. When you have completed configuring the server, you can immediately configure another one or exit the Secure Server wizard. Cisco 11000 Series Secure Content Accelerator Configuration Guide 5-48 78-13124-06...
FIPS 140-2-compliant operation. This chapter contains the following sections: • FIPS Capabilities Using FIPS Mode • Command Changes • • Returning to Normal Operation More Information • Note FIPS operation is only available on the SCA2. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Using FIPS Mode A tamper-evident sticker is affixed to the Secure Content Note Accelerator. When using the device for FIPS-compliant operation, this sticker must remain in place and untouched. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 151
You need to provide an access-level password of at least 8 characters. Enter new password: Confirm password: You need to provide an enable-level password of at least 8 characters. Enter new password: Confirm new password: Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 152
“FailSafe” password as described in “Factory Default Reset Password” section on page 4-4. All configuration will be lost! Use the enable-level password to enter Privileged Mode. Enter the enable-level password: Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Differing Command Behaviors Some commands behave differently while the Secure Content Accelerator is in FIPS Mode. These commands and notes about their usage are presented in Table 6-2, below. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
FIPS Mode passwords must be at least eight characters in length and are limited to a character set containing the alphabet, Arabic numerals, period (.), hyphen (-), underscore (_), and !@#$%^&*+=[]{};:<>?~ . Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Press y when prompted to reboot the Secure Content Accelerator. After the device reboots, you are prompted for the access-level password. When the password is accepted, the “[FIPS]” portion of the prompt is removed, reflecting normal operation of the Secure Content Accelerator. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Chapter 6 FIPS Operation More Information More Information For more information about the NIST Cryptographic Module Validation Program, see http://csrc.nist.gov/cryptval/cmvp.htm. Cisco 11000 Series Secure Content Accelerator Configuration Guide 6-10 78-13124-06...
A P P E N D I X Specifications This appendix presents the specifications for both Secure Content Accelerator versions. It contains the following sections: • Electrical Specifications Environmental Specifications • Physical Specifications • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
This appendix contains the following sections: Single Device • Load Balancing • • Use with the CSS Connecting the Device to a Terminal Server • Web Site Changes • • Transparent Local-Listen Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
If the load balancer is using URL- or cookie-related load balancing, install the appliance in front of the load balancer. In this configuration, the load balancer receives clear text packets decrypted by the SSL device. Figure B-2 shows a typical installation. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
“Server” Ethernet interface to the load balancer. For information about configuring the Secure Content Accelerator in conjunction with the CSS 11000 Series Content Services Switch (hereinafter referred to as the CSS), see “Use with the CSS”. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Secure Content Accelerator or the CSS. However, the deployment provides a low level of scalability, based upon the capacity of the CSS. An example deployment is shown in Figure B-3. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
TCP service port to the CSS. All port 80 traffic is bridged transparently to the CSS. Table B-1 shows basic configuration actions for both the CSS and Secure Content Accelerator. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 169
10.176.11.100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url "/secure/*" active Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 170
15 ### SNTP ### sntp interval 86400 ### Static Routes ### ip route 0.0.0.0 0.0.0.0 10.176.10.1 metric 1 ### RIP ### no rip ### DNS ### no ip name-serverno ip domain-name Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 171
“SSL” ephrsa keepalive frequency 5 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
The resulting log file can be utilized by all popular log analysis tools. Figure B-4 shows a typical deployment. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-10 78-13124-06...
443 traffic terminates on Secure Content Accelerator devices each connected to the CSS via a single port. Table B-2 shows basic configuration actions for both the CSS and Secure Content Accelerator. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-11 78-13124-06...
Page 174
Below is a sample configuration for the CSS. !Generated on 11/18/2000 17:38:37 !Active version: ap0400007s configure !*************************** GLOBAL *************************** bridge spanning-tree disabled ip route 0.0.0.0 0.0.0.0 10.100.1.1 1 Cisco 11000 Series Secure Content Accelerator Configuration Guide B-12 78-13124-06...
Page 175
10.176.10.11 protocol tcp active service s3 ip address 10.176.10.12 protocol tcp active service s4 ip address 10.176.10.13 protocol tcp active service ssl1-443 port 443 protocol tcp ip address 10.176.1.3 active Cisco 11000 Series Secure Content Accelerator Configuration Guide B-13 78-13124-06...
Page 176
443 protocol tcp ip address 10.176.1.6 active service ssl4-444 port 444 protocol tcp ip address 10.176.1.6 active service ssl5-443 port 443 protocol tcp ip address 10.176.1.7 active Cisco 11000 Series Secure Content Accelerator Configuration Guide B-14 78-13124-06...
Page 177
81 url "/*" active content ssl vip address 10.176.11.100 protocol tcp port 443 add service ssl1-443 Cisco 11000 Series Secure Content Accelerator Configuration Guide B-15 78-13124-06...
Page 178
10.176.11.101 port 443 add service ssl2-444 add service ssl1-444 add service ssl3-444 add service ssl4-444 add service ssl5-444 add service ssl6-444 active Cisco 11000 Series Secure Content Accelerator Configuration Guide B-16 78-13124-06...
Page 179
### SNTP ### sntp interval 86400 ### Static Routes ### ip route 0.0.0.0 0.0.0.0 10.176.10.1 metric 1 ### RIP ### no rip ### DNS ### no ip name-serverno ip domain-name Cisco 11000 Series Secure Content Accelerator Configuration Guide B-17 78-13124-06...
The one-armed transparent proxy deployment is the most complex to configure, but it provides a high degree of scalability and extended features, including IP address accounting. Figure B-5 shows a typical deployment. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-19 78-13124-06...
CSS properly. Static routes must be added to the CSS so that traffic that should not pass • through the Secure Content Accelerator devices is routed properly. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-20 78-13124-06...
Page 183
Accelerator devices and management stations requiring ICMP or SNMP to operate will not have access to SSL processing. Table B-3 shows basic configuration actions for both the CSS and Secure Content Accelerator. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-21 78-13124-06...
Page 184
Create Layer 5 rules for secure content • • Create content rules as required for non-secure content • Define ACLs and upstream router service to ensure proper routing of traffic not terminated on the CSS Cisco 11000 Series Secure Content Accelerator Configuration Guide B-22 78-13124-06...
Page 186
10.176.10.10 protocol tcp active service s2 ip address 10.176.10.11 protocol tcp active service s3 ip address 10.176.10.12 protocol tcp active service s4 ip address 10.176.10.13 protocol tcp active Cisco 11000 Series Secure Content Accelerator Configuration Guide B-24 78-13124-06...
Page 187
10.176.4.3 active service ssl5 port 443 protocol tcp type transparent-cache no cache-bypass ip address 10.176.5.3 active service ssl6 port 443 protocol tcp type transparent-cache no cache-bypass ip address 10.176.6.3 active Cisco 11000 Series Secure Content Accelerator Configuration Guide B-25 78-13124-06...
Page 188
10.176.11.100 active !**************************** ACL **************************** acl 8 clause 10 permit any any destination any apply circuit-(VLAN8) Cisco 11000 Series Secure Content Accelerator Configuration Guide B-26 78-13124-06...
Page 189
50 permit udp any eq 2932 destination any prefer upstream-router clause 99 permit any any destination any apply circuit-(VLAN6) apply circuit-(VLAN5) apply circuit-(VLAN4) apply circuit-(VLAN3) apply circuit-(VLAN2) apply circuit-(VLAN1) Cisco 11000 Series Secure Content Accelerator Configuration Guide B-27 78-13124-06...
Page 190
### SNTP ### sntp interval 86400 ### Static Routes ### ip route 0.0.0.0 0.0.0.0 10.176.1.1 metric 1 ### RIP ### no rip ### DNS ### no ip name-serverno ip domain-name Cisco 11000 Series Secure Content Accelerator Configuration Guide B-28 78-13124-06...
Page 191
“SSL” ephrsa keepalive frequency 5 Cisco 11000 Series Secure Content Accelerator Configuration Guide B-29 78-13124-06...
Connecting the Device to a Terminal Server The Secure Content Accelerator can be connected to a terminal server, such as the Cisco 2511 Access Server. You will need a standard RJ45-DB9F adapter (CAB-9AS-FDTE, part number 74-0495-01). Attach the RJ45-DB9F adapter to the CONSOLE port of the Secure Content Accelerator.
The content and services portion of the CSS configuration is nearly identical to the configuration used in non-transparent proxy mode, while the network portion of the CSS configuration mirrors that used in transparent mode. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-31 78-13124-06...
Page 194
ECMP (or some other hashing mechanism) is still necessary for proper routing of traffic within the offloading triangle. Cisco 11000 Series Secure Content Accelerator Configuration Guide B-32 78-13124-06...
Editing and Completion Features • • Command Hierarchy • Configuration Security Methods to Manage the Device • Initiating a Management Session • • Top Level Command Set Configuration Command Set • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Items within angle brackets (“<>”) are required information. Items within square brackets (“[]”) are optional information. Items separated by a vertical bar (“|”) are options. You can choose any of them. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Displays the previous command in the command history CTRL+U Erases characters from the cursor to the beginning of the line CTRL+W Erases the previous word CTRL+Z Leaves current mode and returns to Top Level mode Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 198
The TAB key can also be used to finish a command if the command is uniquely identified by user input. SCA> show cop[TAB] results in SCA> show copyrights Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Secure Content Accelerator device fit into the logical hierarchy show in Figure C-1. Figure C-1 Command Hierarchy TOP LEVEL NON-PRIVILEGED COMMANDS PRIVILEGED CONFIGURATION INTERFACE CERTIFICATE CERTIFICATE SECURITY SERVER BACKEND REVERSE-PROXY TCP-TUNING GROUP POLICY SERVER SERVER TCP-TUNING TCP-TUNING TCP-TUNING Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Passwords Cisco Secure Content Accelerator devices use two levels of password protection: access- and enable-level. Access-level passwords control who can access the device via telnet and serial connections. Enable-level passwords control who can view the same data available with access-level passwords as well as view sensitive data and configure the device.
All configuration is lost when using the factory default reset Caution password. Methods to Manage the Device You can configure the Cisco Secure Content Accelerator using one of three methods, two of which use the CLI configuration manager. Serial connection, configuration manager •...
Page 202
Chapter 3. Brief instructions are also included for initiating a management session using the configuration manager. For instructions on using the telnet and serial console CLI configuration managers, see Chapter 4 for instructions on using the GUI, see Chapter 5. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Enter Privileged and Configuration modes and set the IP address using the following commands. Replace the IP address in the example with the appropriate one. SCA> enable SCA# configure (config[SCA])# ip address 10.1.2.5 (config[SCA])# Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
URL in the form of HOST/PATH/FILENAME using the http://, https://, ftp://, or tftp:// prefix. Telnet After you have assigned an IP address to the Cisco Secure Content Accelerator using the serial connection configuration manager, you can connect to the appliance via telnet.
37 Displays DNS information for the device. show flows, page 37 Displays IP connection information for the device. show history, page 37 Displays the last commands executed. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-11 78-13124-06...
Page 206
Displays enable password configuration status. page 44 show password Displays the configured password idle-timeout idle-timeout, page 44 period. show processes, page 44 Displays information, by thread, about processes running on the device. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-12 78-13124-06...
Page 207
61 Displays the list of hosts to which diagnostic messages from the device are sent. show system-resources, Displays system memory and CPU usage for the page 61 device. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-13 78-13124-06...
Page 208
Clears the IP routing table on the device. clear line, page 69 Closes a specified management session. clear log, page 69 Clears diagnostics message buffer. clear messages, page 70 Empties the diagnostic message buffer on the device. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-14 78-13124-06...
fips enable, page 76 Starts FIPS-compliant mode for a device in Privileged mode. quick-start, page 76 Runs the QuickStart wizard for the device. refresh, page 77 Updates device information in the configuration manager. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-15 78-13124-06...
Allows the administrator to set the date or time end, page 86 Leaves Configuration Mode and returns to Privileged Mode. exit, page 86 Leaves Configuration Mode and returns to Privileged Mode. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-16 78-13124-06...
Page 211
Stores the registration code of the device. rip, page 94 Enables Routing Interface Protocol (RIP) for the current device. no snmp, page 95 Disables SNMP and clears all SNMP data. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-17 78-13124-06...
Page 212
Allows telnet management sessions for the device. telnet port, page 107 Specifies the TCP service port to use for telnet management sessions. timezone, page 108 Specifies the time zone of the device’s location. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-18 78-13124-06...
Page 213
Top Level mode. help, page 112 Displays help information for the specified command speed, page 112 Forces the speed of the current Ethernet interface to 10 Mbps or 100 Mbps. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-19 78-13124-06...
Reverse-Proxy Server Configuration mode for that server. secpolicy, page 121 Creates and/or configures the specified security policy and enters Security Policy Configuration mode for the security policy. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-20 78-13124-06...
Page 215
127 Allows keepalive messages to be sent to the hardware server corresponding to the current virtual backend server. keepalive frequency, Specifies the interval between keepalive messages. page 127 Cisco 11000 Series Secure Content Accelerator Configuration Guide C-21 78-13124-06...
Page 216
136 Enables the backend server to function as a transparent proxy (default). urlrewrite, page 137 Sets or remove a specified URL rewrite rule for the current backend server. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-22 78-13124-06...
142 Adds the specified, existing certificate object into the current certificate group. end, page 142 Exits Certificate Group Configuration mode, activates all changes, and returns to SSL Configuration mode. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-23 78-13124-06...
148 Displays current information about the key being created or edited. net-iis, page 148 Loads a private key exported from IIS 4 only into the key entity. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-24 78-13124-06...
Creates an association between this server and the specified security policy. serverauth enable, page 155 Enables server certificate authentication. serverauth ignore, page 155 Specifies the server authentication errors to ignore. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-25 78-13124-06...
Leaves Security Policy Configuration Mode and returns to Top Level mode. help, page 164 Displays help information for the specified command. info, page 164 Displays current information about the security policy being edited or created. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-26 78-13124-06...
Leaves Server Configuration Mode and returns to Top Level mode. help, page 172 Displays help information for the specified command. httpheader, page 172 Specifies the header information to pass to hardware servers. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-27 78-13124-06...
Page 222
Specifies the port on which the logical secure server receives SSL traffic. The SSL traffic is decrypted and sent to the physical server using the TCP service port previously specified with the remoteport command. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-28 78-13124-06...
193 Specifies the number of times an unacknowledged segment is retransmitted. maxrt, page 194 Specifies the amount of time a TCP connection will remain open after a peer stops responding. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-29 78-13124-06...
Page 224
202 ts, page 203 Controls use of the time stamp TCP option. wnd-scale, page 204 Controls use of the time stamp TCP option. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-30 78-13124-06...
Related Commands quit (Non-Privileged Command Set) help Displays help information for the specified command. help [command] Syntax Description command The name of the command. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-32 78-13124-06...
Pauses the configuration manager until a key is pressed. paws Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) ping Sends ICMP packets to the specified IP address. ping <ipaddr|name> Cisco 11000 Series Secure Content Accelerator Configuration Guide C-33 78-13124-06...
When executed from telnet, the telnet connection is closed. Related Commands exit (Non-Privileged Command Set) set monitor-interval Sets the number of seconds between monitor-prefixed command refreshes. set monitor-interval <value> no set monitor-interval Cisco 11000 Series Secure Content Accelerator Configuration Guide C-34 78-13124-06...
Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands show version (Non-Privileged Command Set) show cpu Displays CPU utilization information the device. show cpu [continuous] [interval <value>] Cisco 11000 Series Secure Content Accelerator Configuration Guide C-35 78-13124-06...
Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands rdate-server (Configuration Command Set) show device Displays information about the device. show device Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-36 78-13124-06...
Displays the last commands executed. show history Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands show terminal (Top Level Command Set) terminal history (Top Level Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-37 78-13124-06...
Displays information for the “Network” interface. server Displays information for the “Server” interface. continuous Displays errors continuously. interval Specifies an interval for display updates. value The interval in seconds. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-38 78-13124-06...
If a single interface is not specified, statistics are displayed for both interfaces. If continuous is specified, statistics are updated every second. Use the interval option to specify an interval for display updates. Press any key to stop displaying statistics. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-39 78-13124-06...
Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands ip domain-name (Configuration Command Set) show dns (Non-Privileged Command Set) show ip domain-name (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-40 78-13124-06...
Displays a list of keepalive-monitor IP addresses for one or more devices. show keepalive-monitor Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) SSL errors from IP addresses specified with the keepalive-monitor command are ignored. Related Commands keepalive-monitor (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-41 78-13124-06...
The zones flag is used to display information for each memory zone. show messages Displays the diagnostic message buffer for the device. show messages Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-42 78-13124-06...
Availability: Serial, Telnet; FIPS Mode (serial only). Related Commands password (Configuration Set) show processes Displays information, by thread, about processes running on the device. show processes Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-44 78-13124-06...
Displays the routing table stored in the device. show route Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands show ip routes (Top Level Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-45 78-13124-06...
(Configuration Command Set) show sntp-server Displays SNTP-server information for the device. show sntp-server Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) The SNTP server is used for date and time information. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-46 78-13124-06...
Syntax Description certname The name of the certificate. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) If you do not specify a certificate name, all certificate entity information is displayed. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-47 78-13124-06...
Error Description SSL Negotiation Errors The number of SSL negotiation failures Total SSL Connections Rejected The number of SSL connections rejected when the pre-defined limit of connections has been exceeded Cisco 11000 Series Secure Content Accelerator Configuration Guide C-49 78-13124-06...
Page 244
Generated when reading from a remote server server Broken Connection Read Errors Generated when reading from a remote from remote server server after the remote server as reset the connection Cisco 11000 Series Secure Content Accelerator Configuration Guide C-50 78-13124-06...
Page 245
"Operation already in progress" "lower error" "I/O error" "Destination host is down" "Unsupported protocol" "Destination network is down" "Destination host unreachable" "Destination network unreachable" "Protocol Family not supported" "Prototype error" Cisco 11000 Series Secure Content Accelerator Configuration Guide C-51 78-13124-06...
Page 246
"Operation already in progress" "lower error" "I/O error" "Destination host is down" "Unsupported protocol" "Destination network is down" "Destination host unreachable" "Destination network unreachable" "Protocol Family not supported" "Prototype error" Cisco 11000 Series Secure Content Accelerator Configuration Guide C-52 78-13124-06...
See the sections “SSL Configuration Command Set” and “Key Configuration Command Set”. show ssl secpolicy Displays summary data for the specified security policy on the device. show ssl secpolicy [polname] Syntax Description polname The name of the security policy. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-54 78-13124-06...
If you do not specify a secure server name, all secure server information is displayed. Related Commands show ssl (Non-Privileged Command Set) show ssl cert (Non-Privileged Command Set) show ssl certgroup (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-55 78-13124-06...
Use the interval keyword to specify an interval for display updates. Press any key to stop displaying information. Table C-18 below presents a description of the items in the output. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-56 78-13124-06...
(All Servers) An SSL session cache miss has occurred. Reuse Attempt on Timed Out Session (All Servers) An SSL session cache (RATS) reuse attempt has occurred for a session id that has timed out. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-57 78-13124-06...
(Configuration Command Set) See the section “SSL Configuration Command Set”. show ssl statistics Displays SSL statistics summed over all secure logical servers on the device. show ssl statistics [continuous] [interval <value>] Cisco 11000 Series Secure Content Accelerator Configuration Guide C-58 78-13124-06...
The number of SSL connections refused Total SSL Connections Rejected The number of SSL connections rejected when the pre-defined limit of connections has been exceeded Total Connections Accepted The number of client connections accepted Cisco 11000 Series Secure Content Accelerator Configuration Guide C-59 78-13124-06...
Keyword indicating all TCP tuning information should be displayed. servername Specifies the server for which TCP tuning parameters should be displayed. defaults Keyword indicating default TCP tuning values should be displayed. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-60 78-13124-06...
Availability: Serial, Telnet; FIPS Mode (serial only) Use the continuous option to update the information every second. Use the interval option to specify an interval for display updates. Press any key to stop displaying information. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-61 78-13124-06...
The number of commands to store in the history buffer. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Use the no form of the command to disable the history list. The default is 25. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-64 78-13124-06...
Enables the terminal pager. terminal pager no terminal pager Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Using the no form of the command disables the pager. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-65 78-13124-06...
Sets the width of the terminal window. terminal width <width> Syntax Description width The desired width of the terminal window. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-66 78-13124-06...
The number of hops to trace. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) When issued from a serial or telnet connection, the command returns information based upon the device’s hardware. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-67 78-13124-06...
Use the show sessions command to display the open management sessions. Related Commands show sessions (Non-Privileged Command Set) clear log Clears diagnostics message buffer. clear log Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-69 78-13124-06...
(Privileged Command Set) copy to running-configuration (Privileged Command Set) copy to startup-configuration (Privileged Command Set) copy to flash Uploads a Cisco Secure Content Accelerator image file to the device flash. copy to flash [url] Syntax Description The URL of the file.
[url] Syntax Description The URL of the file. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) If you do not specify a URL, you are prompted for it. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-74 78-13124-06...
Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) When using the quick-start command in FIPS Mode to Note create a server, only the FIPS and weak security policies are available. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-76 78-13124-06...
The access list identifier. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) If you do not specify an access list id, information for all access lists is displayed. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-77 78-13124-06...
Related Commands show device (Non-Privileged Command Set) show memory (Non-Privileged Command Set) show memory zones (Non-Privileged Command Set) show netstat (Non-Privileged Command Set) show processes (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-78 78-13124-06...
(Privileged Command Set) show startup-configuration (Privileged Command Set) show snmp Displays SNMP configuration information for the device. show snmp Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-79 78-13124-06...
Appendix C Command Summary Top Level Command Set write terminal Displays the running-configuration of the device. write terminal Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-83 78-13124-06...
A device can have up to 999 configured access lists. Use the no form of the command to delete the entire specified access list. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-84 78-13124-06...
Use the no form of the command to clear the hostname of the current device. The command prompt reflects the new name the next time Note Configuration mode is entered. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-87 78-13124-06...
<<ipaddr> [netmask < >]>|<ipaddr/netabbr>> netmask no ip address Syntax Description ipaddr The IP address to assign to the device. netmask <netmask> The netmask for the device. netabbr The netmask abbreviation. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-88 78-13124-06...
(Configuration Command Set) ip name-server Sets the one or more name servers to use with the device. ip name-server <ipaddr> Syntax Description ipaddr The IP address of the Domain Name Server. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-89 78-13124-06...
Use the no form of the command to delete the specified static route entry from the device’s routing table. Related Commands show ip routes (Non-Privileged Command Set) show route (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-90 78-13124-06...
The source IP address from which SSL errors are to be ignored. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Up to two IP addresses, set individually, are allowed. Related Commands show keepalive-monitor (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-91 78-13124-06...
Sets the access- or enable-level password for the current device or sets the idle timeout period. password <access | enable | idle-timeout <minutes>> no password <access | enable> no password idle-timeout Cisco 11000 Series Secure Content Accelerator Configuration Guide C-92 78-13124-06...
Specifies and RDATE-protocol server to be used for date and time information on the device. rdate-server <ipaddr> no rdate-server Syntax Description ipaddr The IP address of the RDATE server. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-93 78-13124-06...
(Configuration Command Set) snmp default community Assigns a default community for the SNMP subsystem to use when sending trapping information. snmp default community <comName> no snmp default community Cisco 11000 Series Secure Content Accelerator Configuration Guide C-97 78-13124-06...
Availability: Serial, Telnet; FIPS Mode (serial only) Use the no form of the command to disable SNMP without clearing SNMP data. The device must be rebooted (reloaded) before this command takes Note effect. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-98 78-13124-06...
Enables generic SNMP traps. snmp trap-type generic no snmp trap-type generic Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Use the no form of the command to disable generic SNMP traps. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-102 78-13124-06...
Keyword indicating a specific syslog facility should be used. facilityid A numeral (from 0 to 7, inclusive) specifying the syslog facility to be used. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-105 78-13124-06...
Availability: Serial, Telnet Use the no form of the command to remove the specified access list. The access list still exists but is no longer used by the telnet subsystem. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-106 78-13124-06...
The TCP service port to be used to manage the current device via a telnet session. default Keyword indicating that the telnet service port be returned to the default of 23. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-107 78-13124-06...
GMT offset integer is not. Related Commands show date (Non-Privileged Command Set) web-mgmt access-list Assigns an existing access list to be used with web browser-based management requests. web-mgmt access-list <id> no web-mgmt access-list <id> Cisco 11000 Series Secure Content Accelerator Configuration Guide C-108 78-13124-06...
Use the no form of the command to diable web browser-based management access. Related Commands show web-management (Non-Privileged Command Set) web-mgmt access-list (Configuration Command Set) web-mgmt port (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-109 78-13124-06...
The port assignment is used at the next Web management connection attempt. Related Commands access-list (Configuration Command Set) show web-management (Non-Privileged Command Set) web-mgmt access-list (Configuration Command Set) web-mgmt enable (Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-110 78-13124-06...
Sets the current interface to full duplex. half Sets the current interface to half duplex. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Exits Interface Configuration mode and returns to Configuration mode. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-111 78-13124-06...
Forces the speed of the current Ethernet interface to 10 Mbps or 100 Mbps. speed <10|100> Syntax Description Sets the current interface speed to 10 Mbps. Sets the current interface speed to 100 Mbps. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-112 78-13124-06...
15 characters. Related Commands show ssl (Non-Privileged Command Set) show ssl server (Non-Privileged Command Set) See the section “Backend Server Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-113 78-13124-06...
The following example creates a certificate object named myCert and enters Certificate Configuration mode for the certificate object myCert. cert myCert create Related Commands show ssl cert (Non-Privileged Command Set) See the section “Certificate Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-114 78-13124-06...
The following example creates a certificate object named myCertGroup and enters Certificate Group Configuration mode for certificate group myCertGroup. cert myCertGroup create Related Commands show ssl certgroup (Top Level Command Set) See the section “Certificate Group Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-115 78-13124-06...
Related Commands See the section “Key Configuration Command Set”. help Displays help information for the specified command. help [command] Syntax Description command The name of the command. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-117 78-13124-06...
Imports and processes a PKCS#7 file to create a certificate objects and a certificate group. import pkcs7 <name> <der|pem> [prefix <prefixText>] |url]] Syntax Description name The user-defined name of the certificate group object. Indicates the file is DER-encoded. Indicates the file is PEM-encoded. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-118 78-13124-06...
Key names can consist of Arabic numerals and upper- and lowercase alphabetic, underscore (_), hyphen (-), and period (.) characters. Key names must begin with an alphabetic character or underscore and have a limit of 15 characters. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-119 78-13124-06...
Arabic numerals and upper- and lowercase alphabetic, underscore (_), hyphen (-), and period (.) characters. Reverse-proxy server names must begin with an alphabetic character or underscore and have a limit of 15 characters. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-120 78-13124-06...
The following example creates a security policy named mypolicy and enters Security Policy Configuration mode for the security policy mypolicy. secpolicy mypolicy create Related Commands show ssl secpolicy (Non-Privileged Command Set) See the section “Security Policy Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-121 78-13124-06...
15 characters. Related Commands show ssl server (Non-Privileged Command Set) See the section “Server Configuration Command Set”. tcp-tuning Enters TCP Tuning Configuration mode at the global level. tcp-tuning no tcp-tuning Cisco 11000 Series Secure Content Accelerator Configuration Guide C-122 78-13124-06...
Page 317
Availability: Serial, Telnet; FIPS Mode (serial only) The no form of the command is used to return all TCP tuning values to factory default. Related Commands See the section “TCP Tuning Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-123 78-13124-06...
The no form of the command is used to disable server authentication using the certificate group. When using the no form of the command, you need not specify any certificate group name. Only one certificate group can be used. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-124 78-13124-06...
Sets the specified IP address for the backend server. ip address <ipaddr> [netmask <mask>] no ip address Syntax Description ipaddr The IP address to assign to the backend server. netmask <mask> The netmask valid for the IP address. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-126 78-13124-06...
Availability: Serial, Telnet; FIPS Mode (serial only) Traffic sent on this TCP service port is not secured by SSL during Caution transmission to the server. It must be secured by another means. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-128 78-13124-06...
Specifies the TCP service port through which redirected secure connections are sent. remoteport <port|default> Syntax Description port The used to transfer secure traffic. default Sets the port specification to 443. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-129 78-13124-06...
Availability: Serial, Telnet; FIPS Mode (serial only) Using the no form of the command disables server certificate authentication. Related Commands certgroup serverauth (Backend Server Configuration Command Set) serverauth ignore (Backend Server Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-131 78-13124-06...
(Backend Server Configuration Mode) session-cache timeout Specifies the session cache length before being timed out. session-cache timeout <seconds> Syntax Description seconds Specifies the number of seconds before the cache times out. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-133 78-13124-06...
Using the no form of the command disables SSL version 3 protocols. You cannot disable SSL version 2 and 3 and TLS protocols. This command is not available in FIPS mode. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-134 78-13124-06...
Related Commands activate (Backend Server Configuration Mode) tcp-tuning Enters TCP Tuning Configuration mode at for this server. tcp-tuning Cisco 11000 Series Secure Content Accelerator Configuration Guide C-135 78-13124-06...
When transparent proxy behavior is disabled, the device accepts connections on the IP address of the Secure Content Accelerator rather than on the server address. The no form of the command is used to disable this behavior. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-136 78-13124-06...
URL rewrite information can be displayed by using the command show ssl server. Related Commands show ssl server (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-137 78-13124-06...
[url] Syntax Description The location of the file. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) If you do not enter the URL, you are prompted for it. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-138 78-13124-06...
Leaves Certificate Configuration Mode and returns to Top Level mode. finished Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) help Displays help information for the specified command. help [command] Syntax Description command The name of the command. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-139 78-13124-06...
If you do not enter the file name or URL, you are prompted for it. Related Commands pem-paste (Certificate Configuration Command Set) pem-paste Allows a PEM-encoded X.509 certificate to be pasted into the configuration manager. pem-paste Cisco 11000 Series Secure Content Accelerator Configuration Guide C-140 78-13124-06...
Page 335
You can use a text editor to copy the certificate from a file. After the certificate is pasted, you must press Enter twice to complete the command. If a password is required, you are prompted for it. Related Commands pem (Certificate Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-141 78-13124-06...
See the section “Certificate Configuration Command Set”. Exits Certificate Group Configuration mode, activates all changes, and returns to SSL Configuration mode. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-142 78-13124-06...
The name of the command. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) If you do not specify a command, help information is displayed for all Certificate Group Commands Cisco 11000 Series Secure Content Accelerator Configuration Guide C-143 78-13124-06...
Appendix C Command Summary Configuration Command Set info Displays current information about the certificate group being created or edited. info Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-144 78-13124-06...
Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) If you do not enter the URL, you are prompted for it. If a password is required, you are prompted for it. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-145 78-13124-06...
PEM-encoded file named mykey.pem. genrsa bits 1024 encrypt des seed lemon output mykey.pem help Displays help information for the specified command. help [command] Syntax Description command The name of the command. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-147 78-13124-06...
If you do not enter the URL, you are prompted for it. If a password is required, you are prompted for it. Loads a PEM-encoded X.509 private key into the key entry. pem [url] Syntax Description The location of the file. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-148 78-13124-06...
You can use a text editor to copy the key from a file. After the key is pasted, you must press Enter twice to complete the command. If a password is required, you are prompted for it. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-149 78-13124-06...
(Reverse-Proxy Server Configuration Command Set) certgroup serverauth Assigns a certificate group to be used for server certificate authentication. certgroup serverauth <certgroupname> no certgroup serverauth Syntax Description certgroupname The name of the certificate group. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-150 78-13124-06...
If you do not specify a command, help information is displayed for all Reverse-Proxy Server Configuration Commands info Displays current information about the reverse-proxy server being edited or created. info Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-152 78-13124-06...
Availability: Serial, Telnet; FIPS Mode (serial only) Use the no form of the command to remove the specified log-url server from the list. Only one log-url server can be configured. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-153 78-13124-06...
Ignore certificate expiration errors. cert-not-yet-valid Ignore errors caused by using the certificate before it is valid. invalid-ca Ignore errors caused by an unrecognized CA. domain-name Ignore errors due to an invalid domain name. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-155 78-13124-06...
The number of cached sessions. The default is 1024. The acceptable range is 1 to 76,800 (SCA) or 1 to 307,200 (SCA2). Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-156 78-13124-06...
SSL version 2 and 3 and TLS protocols. This command is not available in FIPS mode. Related Commands sslv3 enable (Reverse-Proxy Server Configuration Command Set) tlsv1 enable (Reverse-Proxy Server Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-157 78-13124-06...
If you are editing an existing reverse-proxy server and you use the suspend • command alone, the all open connections on the server are finished, and no new connections are accepted. No connections are accepted until the activate command is used. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-158 78-13124-06...
SSL version 2 and 3 and TLS protocols. The command no tlsv1 enable is not available in FIPS mode. Related Commands sslv2 enable (Reverse-Proxy Server Configuration Command Set) sslv3 enable (Reverse-Proxy Server Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-159 78-13124-06...
URL rewrite information can be displayed by using the command show ssl server. Related Commands show ssl server (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-160 78-13124-06...
Cryptographic Scheme Encryption Authentication Exchange Assignments ARC4-MD5 ARC4 (128) RSA (1024) strong, default, all ARC4-SHA ARC4 (128) SHA1 RSA (1024) strong, default, all DES-CBC3-MD5 3DES (168) RSA (1024) strong, all Cisco 11000 Series Secure Content Accelerator Configuration Guide C-161 78-13124-06...
Page 356
If you enter crypto weak and no crypto NULL-MD5 commands, the NULL-MD5 cryptography scheme is removed from the current security policy. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-162 78-13124-06...
If you do not specify a command, help information is displayed for all Security Policy Configuration Commands info Displays current information about the security policy being edited or created. info Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-164 78-13124-06...
The name of the certificate. default The pre-loaded default certificate. default-1024 The pre-loaded 1024-bit default certificate. default-512 The pre-loaded 512-bit default certificate. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-165 78-13124-06...
flag, you need not specify any certificate group name. Only one certificate chain is allowed. Related Commands certgroup (SSL Configuration Command Set) show ssl certgroup (Non-Privileged Command Set) See also “Certificate Group Configuration Command Set”. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-166 78-13124-06...
Enables client certificate authentication. clientauth enable no clientauth enable Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Use the no form of the command to disable client certificate authentication. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-167 78-13124-06...
HTML error page listing the reason for the error. Then the SSL session is disconnected. ignore The server silently ignores the authentication error and continues the SSL connection. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-168 78-13124-06...
HTML page specified by the url argument. The SSL session is disconnected. The location of the error page for redirection. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) The default behavior is failhtml. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-170 78-13124-06...
Adds the server certificate to the HTTP stream. pre-filter Pre-filters the client header. prefix Allows a prefix string to be added to the HTTP stream. This text must be entered within quotes. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-172 78-13124-06...
The following table presents the header fields sent using the httpheader server-cert command. Table C-22 Headers Inserted with httpheader server-cert Command Header Field Description hostname-ServerCert-Certificate-Version x509 Certificate version hostname-ServerCert-Data-Signature-Algorithm x509 Hashing and encryption mechanisms hostname-ServerCert-Fingerprint Hash output Cisco 11000 Series Secure Content Accelerator Configuration Guide C-174 78-13124-06...
Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) ip address Sets the specified IP address for the logical secure server. ip address <ipaddr> [netmask <mask>] no ip address Cisco 11000 Series Secure Content Accelerator Configuration Guide C-175 78-13124-06...
Specifies the interval between keepalive messages. keepalive frequency <seconds> Syntax Description seconds The number of seconds between keepalive messages; the range is 1 to 255 seconds (inclusive); the default is 5 seconds Cisco 11000 Series Secure Content Accelerator Configuration Guide C-176 78-13124-06...
It must be secured by another means. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Related Commands localport (Server Configuration Command Set) sslport (Server Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-179 78-13124-06...
The SSL handshake is continued and the client is redirected to another HTML page specified by the url argument. The SSL session is disconnected. The location of the error page for redirection. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-182 78-13124-06...
(Server Configuration Command Set) suspend Suspends the function of the server. suspend [now] Syntax Description Suspends actions of the server immediately. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-184 78-13124-06...
The device listens on the hardware server’s IP address for incoming client connections and uses the client’s IP address for connecting to the hardware server. This is default behavior. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-186 78-13124-06...
An * (asterisk) wild card character can be used to specify more than one server in a single domain, e.g., “*.company.com”. Up to 32 URL rewrite rules can be configured. Use the no form of the command to clear the specified rule. If more Cisco 11000 Series Secure Content Accelerator Configuration Guide C-187 78-13124-06...
Page 382
URL rewrite information can be displayed by using the command show ssl server. Related Commands show ssl server (Non-Privileged Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-188 78-13124-06...
The number of seconds a segment can exist on the network before being discarded; the valid range is from 5 to 300 seconds (inclusive). default The factory default. At the time of publication, the factory default is 5 seconds. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-189 78-13124-06...
If no global settings exist for a parameter, the factory default parameter is used instead. See RFC 1122. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-190 78-13124-06...
The number of seconds a to keep a TCP connection open without active traffic; the valid range is from 0 to 65535 seconds (inclusive). default The factory default. At the time of publication, the factory default is 60 seconds. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-191 78-13124-06...
If no global settings exist for a parameter, the factory default parameter is used instead. See RFC 1122. Related Commands keepalive (TCP Tuning Configuration Command Set) keepalive-intv (TCP Tuning Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-192 78-13124-06...
The number of number of keepalives that are sent; the valid range is from 1 to 65535 (inclusive). default The factory default. At the time of publication, the factory default is 12. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-193 78-13124-06...
Use the no form of the command to return the maxrt to the global value. If no global settings exist for a parameter, the factory default parameter is used instead. maxseg Specifies the maximum TCP segment size. maxseg <bytes|default> no maxseg Cisco 11000 Series Secure Content Accelerator Configuration Guide C-194 78-13124-06...
If no global settings exist for a parameter, the factory default parameter is used instead. See RFC 894. Note This parameter can only be set at the global level. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-195 78-13124-06...
See RFC 896. nopush Controls whether data is sent if the segment size (maxseg) is not full. nopush <0|1|on|off|default> no nopush Syntax Description nopush is disabled. nopush is enabled. nopush is enabled. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-196 78-13124-06...
30000 to 65535 milliseconds (inclusive). default The factory default. At the time of publication, the factory default is 60000 milliseconds. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-197 78-13124-06...
Use the no form of the command to return the probe-min to the global value. If no global settings exist for a parameter, the factory default parameter is used instead. Related Commands probe-max (TCP Tuning Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-198 78-13124-06...
65535 milliseconds (inclusive). default The factory default. At the time of publication, the factory default is 64000 milliseconds. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-200 78-13124-06...
If no global settings exist for a parameter, the factory default parameter is used instead. See RFC 1122 and RFC 2988. Related Commands rto-def (TCP Tuning Configuration Command Set) rto-max (TCP Tuning Configuration Command Set) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-201 78-13124-06...
See RFC 2001 and RFC 2581. stdurg Controls the octet pointed to by the urgent pointer. stdurg <0|1|on|off|default> no stdurg Cisco 11000 Series Secure Content Accelerator Configuration Guide C-202 78-13124-06...
Page 397
Time stamping is disabled. Time stamping is enabled. Time stamping is enabled. Time stamping is disabled. default 1 (on); time stamping is enabled. Usage Guidelines Availability: Serial, Telnet; FIPS Mode (serial only) Cisco 11000 Series Secure Content Accelerator Configuration Guide C-203 78-13124-06...
Use the no form of the command to return the ts to the global value. If no global settings exist for a parameter, the factory default parameter is used instead. See RFC 1323. Cisco 11000 Series Secure Content Accelerator Configuration Guide C-204 78-13124-06...
) in the console. The >> prompt displayed when the device has failed any self-tests is self-test failure>>. This appendix contains the following sections: Text Conventions • Getting Help • • Examples Command Set • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Though a command string may be displayed on multiple lines in this Note guide, it must be entered on a single line with not returns except at the end of the complete command. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Help for individual commands having arguments is available by partially typing the command and pressing Enter. An example is below. >>ip ip what? address -- assign an ip address route -- assign default route >> Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Check the environment by entering the following command. An example of the associated response is included. >>env cbaud=9600 autoboot=N autorun=N verbose=false netaddr=10.1.2.5 netmask=255.255.255.0 gwaddr=10.1.2.254 bootfile=/flash/maxos.bz2 TZ=GMT10DST TERM=ansi FIPS_MODE=0 COLUMNS=80 ROWS=25 bootdevice=/flash/maxos.bz2 build=200208160004 version=4.1.0 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
firmware has been corrupted. This example uses the Netcat application to stream the image to MiniMax. The firmware image can be found on the distribution CD accompanying the device and at the Cisco Web site. Netcat allows for reading and writing data across network sockets. It is freely available for most operating systems here: Unix: ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/netcat...
This example uses the Xmodem to download the image to MiniMax over the console serial line. The firmware image can be found on the distribution CD accompanying the device and at the Cisco Web site. Use the following table to identify the firmware image for use.
Use the terminal emulation application’s commands to initiate sending the image file indicated in Table D-2 above via xmodem. The image file transfer can take up to an hour depending on Note the baud. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Set up the terminal emulation program to capture text. Enter the following command to list the configuration to the window. >> cat /flash/startup-config Stop the text capture. Before loading the saved configuration file, you must reload the Note keys. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Enter resetenv to return the device to factory settings. You are not prompted to continue. The process begins once Note you have types the command and pressed Enter. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 408
Check the environment again by entering the following command. An example of the associated response is included. >>env cbaud=9600 autoboot=N autorun=N verbose=false netaddr=192.0.2.254 netmask=255.255.255.0 gwaddr= bootfile=/flash/maxos.bz2 TZ=GMT10DST TERM=ansi FIPS_MODE=0 COLUMNS=80 ROWS=25 Cisco 11000 Series Secure Content Accelerator Configuration Guide D-10 78-13124-06...
The new baud for the connection. boot Boots the device with the current flash image. boot Lists the specified file to the terminal. cat <filename> Syntax Description filename The path and filename to list. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-11 78-13124-06...
Option indicating that interface speed will be configured. Option indicating the specified Ethernet interface(s) should be configured as 10Mbit/sec. Option indicating the specified Ethernet interface(s) should be configured as 100Mbit/sec. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-12 78-13124-06...
The example below shows how to set the last three octets of the MAC addresses of both interfaces, beginning with the address specified. >> eaddr -ib 010000 Prints the nvram environment to the console. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-13 78-13124-06...
Keywords identifying the address to change. ipaddr The new IP address. maskbits The numeral indicating the appropriate mask to use; this netmask shortcut is used only with the address keyword. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-14 78-13124-06...
Displays open file descriptors and sockets on the device. netstat printenv Prints the nvram environment to the console. printenv rdate-server Assigns an RDATE server. rdate-server <ipaddr> Syntax Description ipaddr The IP address of the RDATE server to use. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-15 78-13124-06...
Deletes a file from the flash file directory. rm <filename> Syntax Description filename The name of the file to delete. Related Commands sbridge Connects the specified Ethernet port and starts the bridge. sbridge [network|server] Cisco 11000 Series Secure Content Accelerator Configuration Guide D-16 78-13124-06...
Page 415
Specifies file download information is to be displayed. Specifies ARP information is to be displayed. route Specifies route information is to be displayed. Usage Guidelines If no system is specified, a help message is displayed. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-17 78-13124-06...
Appendix D MiniMax Command Summary Command Set version Displays firmware version information. version Processes a downloaded image file, if available, and copies it to the flash. Cisco 11000 Series Secure Content Accelerator Configuration Guide D-18 78-13124-06...
A P P E N D I X Troubleshooting This appendix provides general troubleshooting information for the Secure Content Accelerator. This appendix contains the section “Troubleshooting the Hardware” Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
SSL device and other networking hardware agree. Using the CLI, enter the show interface command to display the settings for the appliance Ethernet interfaces. Make sure you have a valid networking topology. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 419
Use a serial management session to connect to the device. The serial console displays either A serious error has occurred. Please see >> self-test Appendix D, “MiniMax Command Summary” for failure>> more information. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 420
“Returning to Normal Operation” in Chapter 6 for more information. Few security policies are available when The device is operating in FIPS Mode. Only configuring servers. security policies containing FIPS 140-2-compliant algorithms are available in FIPS Mode. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 421
The device might be operating in FIPS Mode. exit the configuration mode. Only servers configured with FIPS 140-2-compliant algorithms are available to traffic. The assigned security policy must contain at lease one FIPS-compliant algorithm. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
RMA Unit: Faulty responsive? serial connection Is 1- or 2-port Set intended mode correctly operation mode; set? reload device Are the network Configure network settings correct? settings Go to next flowchart Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Does "show localport and netstat" display transparency proper listening settings; reload if sockets? necessary Is the proxy Continue with set to transparent next flowchart operation? Refer to the Configuration Guide Deployment section Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Are any firewalls or suite operability or ACLs in place? use a different client Eliminate ACLs or filters preventing access Does the device operate as expected? Continue with configuration and operation as desired Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
You can configure the Cisco Secure Content Accelerator using either the GUI or CLI, or through the QuickStart wizard (available through both the CLI and GUI).
TCP service port 80 for both basic HTTP connections and for transfer of decrypted secure data between the devices and the server. Below are some alternatives for this scenario. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
When prompted either to name a key or certificate file or check the name of a key or certificate file, please ensure the names follow these conventions. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Click Copy to file. The Certificate Manager Export Wizard opens. Click Next. Select the DER-encoded binary X.509 radio button. Click Next. Specify a file name and location. Click Next. Click Finish. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Right-click the Web site object and click Properties in the shortcut menu. Click the Directory Security tab. Click View Certificate in the Secure Communications panel. The Certificate Viewer appears. Click the Details tab. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Passwords Cisco Secure Content Accelerator devices use two levels of password protection: access- and enable-level. Access-level passwords control who can access the device via telnet and serial connections. Enable-level passwords control who can view the same data available with access-level passwords as well as view sensitive data and configure the device.
• • An associated key specifying the public/private key pair to use A single certificate or certificate group to use • A security policy specifying the cryptographic scheme(s) to use • Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
X.509 files, IIS4 backup format (NET-IIS), PKCS#12 files, and PCKS#7 certificate groups. Step-Up Certificates and Server-Gated Cryptography Cisco Secure Content Accelerator devices support both Netscape International Step-Up Certificates and Microsoft Server-Gated Cryptography. No special configuration is needed for the device to function properly with these certificates.
GUI. Security Policies Cisco Secure Content Accelerator can process a wide range of single and composite cryptography schemes. The following table shows a comparison of the individual schemes. If you configure the device to use the weak security policy, all schemes marked as “weak”...
Page 435
None None weak, default, all NULL-SHA None SHA1 None weak, default, all 1 ARC4 is compatible with RC4™ RSA Data Security. 2 ARC2 is compatible with RC2™ RSA Data Security. Cisco 11000 Series Secure Content Accelerator Configuration Guide F-11 78-13124-06...
Appendix F SSL Introduction Cisco Secure Content Accelerator Management Cisco Secure Content Accelerator Management You can configure the Cisco Secure Content Accelerator using one of three methods, two of which use the CLI configuration manager. • Serial connection, configuration manager An IP address need not have been assigned for appliance management.
Page 437
For instructions on using telnet or serial console CLI configuration managers, see Chapter 4; for instructions on using the GUI, see Chapter 5. To use the Secure Content Accelerator in FIPS-compliant operation mode, see Chapter 6. Cisco 11000 Series Secure Content Accelerator Configuration Guide F-13 78-13124-06...
Accelerator. This appendix includes the following sections: Regulatory Standards Compliance • Canadian Radio Frequency Emissions Statement • • FCC Class A CISPR 22 (EN 55022) Class A • VCCI • Cisco 11000 Series Secure Content Accelerator Configuration Guide G-15 78-13124-06...
• Canadian Radio Frequency Emissions Statement This Class A digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe A est conforme à la norme NMB-003 du Canada. Cisco 11000 Series Secure Content Accelerator Configuration Guide G-16 78-13124-06...
To maintain compliance with the limits of a Class A digital device, Cisco requires that you use quality interface cables when connecting to this device. During testing for certification Category 5 cables were used.
Warning This is a class A product. In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures. VCCI Cisco 11000 Series Secure Content Accelerator Configuration Guide G-18 78-13124-06...
Page 443
Memory area in which device configuration may be saved; configuration Flash memory information not stored in the flash memory is lost during a power cycle or when the device is rebooted or reloaded. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 444
The user-specified non-secure TCP port used by the Cisco Secure Content Remote Port Accelerator to send decrypted data to and receive data to be encrypted from the logical secure server.
Page 445
An application-level protocol used to monitor and perform basic configuration Simple Network of network devices. Management Protocol (SNMP) The user-specified secure TCP port monitored by the Cisco Secure Content Server Port Accelerator for secure transaction requests. Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 448
4-18 FailSafe password description 4-18, 10 reloading the device 3-13, 5-17 GUI example 5-35 unauthorized modifications See also certificate unsecured transmissions C-128, C-179 certificate configuration use of keys and certificates Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 449
C-31 description completion features free-standing installation configuration front panel QuickStart wizard grounding configuration manager installation backend server configuration command MiniMax commands C-124 mounting brackets certificate configuration command set C-138 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 450
GUI 5-17 clear text and SSL ports setting device IP address with GUI client authentication with GUI 5-33 setting syslog hosts with GUI 5-13 client-side Web access Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 451
CSS, use with C-75 erase startup-configuration examples Ethernet in-line configuration manager example 4-16 one-armed proxy B-10 connecting one-armed transparent B-19 example (CLI) configuring client authentication 4-23 configuring server authentication 4-21 example, configuration manager Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 452
Ethernet interface product overview configuring a reverse-proxy server 5-34 free-standing installation configuring a secure server 5-30 front panel configuring a security policy 5-27 configuring backend server 5-34 Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 453
C-126, C-140, C-144, C-148, C-152, C-164, C-175 generating a certificate 5-42 info input data format generating an RSA key 5-38 C-88 importing a certificate group 5-46, 5-47 interface interface configuration interface Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 458
C-35 C-46 show copyrights show sessions C-35 C-79 show cpu show snmp C-36 C-46 show date show sntp C-36 C-46 show device show sntp-server C-78 C-47 show diagnostic-report show ssl Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
3-3, 4-6, C-10 symbolic hostnames C-8, 12 warning using the QuickStart wizard CISPR 22 (EN 55022) Class A C-107 telnet enable equipment rack stability C-107 telnet port grounding C-63 terminal baud power systems Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...
Page 462
C-110 web-mgmt port website configuration B-30 Windows 2000 IIS 5 Windows NT IIS 4 C-204 wnd-scale C-81 write flash C-81 write memory C-82 write messages C-82 write network C-83 write terminal Cisco 11000 Series Secure Content Accelerator Configuration Guide 78-13124-06...