The second strategy, cloud-based security is offered in conjunction with ScanSafe, a recent Cisco acquisition. Cisco has incorporated the ScanSafe client tool into the AnyConnect client and the ScanSafe policy management tool into ASDM, making the option of deploying cloud-based malware scanning and Web filtering functionality fairly simple. ScanSafe licensing is completely separate from all other Secure Mobility licensing, and ScanSafe is only supported on Windows platforms.
While the integration makes it easy for an enterprise to select cloud-based scanning, we think that most enterprises will see cloud-based scanning vs. enterprise proxy protections as an "either/or" choice. From a policy point of view, Cisco has put a very light touch on the whole ScanSafe interface.
For example, while the AnyConnect Client has a trusted network detection feature, ScanSafe also has a similar feature. Rather than combine the two, each runs independently, letting ScanSafe work in a non-AnyConnect environment. Similarly, all of the Web-based security policies established on the IronPort S-Series Web proxy are completely independent of the policies set up for ScanSafe; you can't reuse any of the components and you can't easily translate the policy from one to the other.
We chose to focus on the third type of Web security: the Web proxy. Cisco's approach to applying Web-based security to VPN users requires a tight linkage between the ASA VPN concentrator and the S-series Web proxy, in order to transfer authentication information to the Web proxy. Making that linkage is very simple — you just put a common port number and shared secret into both devices, click the "test" button, and if everything is correct, you're done.
The ASA sends the username, but not any group membership information, over to the IronPort S-series, so we had to link to our Active Directory (NTLM or LDAP are supported) to get this information. Once that was settled, we were able to apply user- and group-based Web security policies.
One of the most important parts of the integration between the AnyConnect client, the ASA appliance, and the IronPort S-Series is the automatic download of proxy information to AnyConnect clients. We tested this with Windows (Internet Explorer), Mac (Safari, Chrome, and Firefox), and iPhone systems all running the AnyConnect client and had seamless experiences browsing through the VPN tunnel, passed to the IronPort S-Series proxy, and off to the Internet.