Cisco Adaptive Security Appliances and Citrix NetScaler Gateway citrix.com

Cisco Adaptive Security Appliances and NetScaler Gateway

2 Contents What You Will Learn...3 Cisco ASA SSL VPN...4 NetScaler Gateway...5 HDX SmartAccess...6 HDX Insight...6 Combining Cisco ASA and NetScaler Gateway...7 Why Combine?...8 Use Case: Cisco AnyConnect and Cisco ASA with NetScaler Gateway and HDX SmartAccess...9 Typical Security Policy Example...9 Cisco ASA Policy Configuration...10 NertScaler Gateway Configuration... 11 Summary...13 Use Case: Cisco WebVPN (Clientless) and Cisco ASA with NetScaler Gateway and HDX SmartAccess... 14 Typical Security Policy Example for Clientless Access... 14 Summary...15 Conclusion...16

3 What You Will Learn Cisco Adaptive Security Appliances (ASA) SSL and IP Security (IPsec) Edition and NetScaler Gateway are two popular secure remote-access solutions. Cisco ASA provides market-leading IPsec and SSL VPN, site-to-site VPN, and remote-access VPN technologies with Cisco AnyConnect Secure Mobility Client and Cisco WebVPN (clientless), all within a single appliance. NetScaler Gateway is a market-leading, secure application and data-access solution that provides administrators with detailed application- and data-level control while empowering users with remote access from anywhere. NetScaler Gateway provides the best secure application and data access for XenApp, XenDesktop, and XenMobile. Together, Cisco and provide enhanced value for enterprises. This value is achieved by deploying Cisco ASA and NetScaler Gateway so that the strengths of each are paramount: Deploy Cisco ASA at the Internet edge to terminate secure remote sessions for both Cisco AnyConnect client and Cisco WebVPN (clientless) users. Deploy NetScaler Gateway to provide detailed policy enforcement using HDX SmartAccess and to provide insight into application traffic for XenApp and XenDesktop resources. Such a combined deployment of the two products could be: Parallel to each other, on the Internet edge, with NetScaler Gateway terminating all the traffic, and Cisco ASA terminating all the non- traffic Inline, with Cisco ASA terminating all traffic, and delegating traffic to NetScaler Gateway This document focuses on the inline deployment model, which provides a single point of termination for all traffic. and Cisco tested the following two joint use cases for such a deployment (Figure 1): Cisco AnyConnect and Cisco ASA with NetScaler Gateway Cisco WebVPN and Cisco ASA with NetScaler Gateway Cisco Any Connect Receiver Cisco ASA 550-X NetScaler Gateway Web Interface and StoreFront NetScaler ADC XenApp and XenDesktop Figure 1. Inline Deployment Model

4 By deploying both Cisco ASA and NetScaler Gateway in your network, you provide secure remote access not only to your traditional resources, but also to your XenApp and XenDesktop resources. The actual use cases presented in this document demonstrate the enhanced value of a joint deployment and the way that Cisco and working together can enhance your secure remote-access solution. Virtualization technologies such as market-leading XenApp and XenDesktop have experienced tremendous growth as enterprises look for a solution to address a growing and diverse user community with multiple devices seeking anytime and anywhere access. Many enterprises are now implementing desktop virtualization solutions to reduce the capital expenditures (CapEx) needed to both provide their employees with company-owned devices and implement a bring-your-owndevice (BYOD) strategy, at the same time taking advantage of the inherent security controls that virtual desktops and applications offer. Cisco and are partners and share a common goal of enabling a secure mobile workforce. As partners, the two companies are working to integrate Cisco ASA, Cisco AnyConnect Secure Mobility Client, and Cisco Identity Services Engine (ISE) with Worx, Receiver, NetScaler Gateway, and XenMobile. Cisco, with Cisco ASA, and, with the NetScaler Gateway, offer a combined best solution by complementing each other s strengths to enhance the value offered. This combined solution is primarily designed for enterprises with existing XenApp and XenDesktop deployments and existing Cisco ASA full VPN deployments for remote access to other company resources. The joint solution with NetScaler Gateway demonstrates the use of s detailed policy access mechanisms and HDX traffic insight in parallel with Cisco ASA. This document also provides an overview of the current respective solutions and demonstrates how the respective solutions currently work together today. This document gives security engineers and administrators an overview of the configuration and best practices for the combined solutions. Basic working knowledge of Cisco ASA and clientless and Cisco AnyConnect SSL VPNs and familiarity with NetScaler Gateway, XenApp, and XenDesktop are assumed. After reading this document, you should have a good understanding of the components involved in the solution and will be well equipped to review other detailed collateral. Cisco ASA SSL VPN The Cisco Secure Remote Access solution is a single-appliance VPN solution that extends network access safely and easily to a wide range of users and devices. It offers a comprehensive and versatile secure mobility solution and supports a wide range of connectivity options, endpoints, and platforms to meet your organization s changing and diverse remote-access needs. This solution is built on the Cisco ASA 5500 Series, which delivers site-specific scalability for deployments ranging from the smallest business and small office and home office (SOHO) to the largest enterprise networks.

5 It offers: Deployment flexibility: The solution extends the appropriate remote-access VPN technology, either clientless or full network (SSL and Transport Layer Security [TLS], Datagram TLS [DTLS], or IPsec Internet Key Exchange Versions 1 and 2 [IKEv1 and v2]) access, on a per-session basis, depending on the user group or endpoint accessing the network, the security posture, and administrative policies. Comprehensive network access: Broad application and network resource access is provided through Cisco AnyConnect Secure Mobility Client, an automatically downloadable network-tunneling client that enables access to almost any company application or resource. Ubiquitous clientless access: The solution delivers secure remote access to authenticated users on both managed and unmanaged endpoints, enabling increased productivity by providing anytime access to the network. Detailed control: The solution empowers network and IT managers to provide and monitor controlled access to company resources and applications. Transparent connectivity: The Cisco AnyConnect Secure Mobility Client automatically connects or disconnects a user session based on the user s location and network availability, providing a transparent secure connectivity experience to the roaming worker, who gains increased productivity and flexibility. Optimized performance: The Cisco AnyConnect Secure Mobility Client provides an optimized VPN connection for latency-sensitive traffic, such as voice over IP (VoIP) traffic and TCP-based application access. The Cisco AnyConnect client can automatically determine and establish connectivity to the optimal network access point. Consistent security: The solution enables highly scalable secure mobility protection by extending location-aware security policies to every transaction when the Cisco AnyConnect Secure Mobility Client is used with integrated web security. The user s location and the nature of the company resources accessed (for instance, an enterprise or in-house application, or a software-as-a-service [SaaS] application) define the level of acceptable-use policies, malware protection, and data security policies. The Cisco AnyConnect client is optimized for use with the Cisco IronPort Web Security appliance and the cloud-based Cisco ScanSafe Web Security service. Both deployment options include Cisco s industry-leading use-policy enforcement and protection for enterprise resources from both known and zero-day malware. NetScaler Gateway NetScaler Gateway is a secure application and data access solution that gives administrators detailed application- and data-level control while empowering users with remote access from anywhere. NetScaler Gateway has an extremely powerful and flexible policy engine, which enables administrators to manage access control and limit actions within sessions based on both user identity and the endpoint device, providing better application security, data protection, and compliance management.

6 NetScaler Gateway provides the best secure application and data access for XenApp, XenDesktop, and XenMobile. It also provides several modes of access to help provide the best security: ICAProxy (secure proxy for Independent Computing Architecture [ICA; HDX] traffic only): This mode is used for transparent and secure access to XenApp and XenDesktop published virtual applications and desktops. In this mode, no NetScaler Gateway client is required, and all resources are accessed through the browser or using Receiver. NetScaler Gateway also provides HDX SmartAccess capabilities, which provides highly detailed control of application and desktop access on the endpoint. CVPN (clientless VPN access over the browser): This mode provides access to internal websites and file shares over a browser, and hence it does not require any client installation. This mode provides increased security as well as transparent access from anywhere. SSL VPN (full tunnel access for a devicewide VPN): This mode creates a devicewide VPN and virtually connects the incoming device to the company network. This mode provides complete access to all internal resources. Micro VPN (application-specific access through micro-vpn tunnels): This mode is designed for mobile platforms as part of s mobility solutions ( XenMobile). Instead of providing a device-level VPN (because BYOD devices may or may not be trusted), this mode provides application-level tunnels, helping ensure the capability of specific applications, as approved by the administrator, to tunnel back into the enterprise. HDX SmartAccess HDX SmartAccess is a XenApp and XenDesktop technology that works in collaboration with NetScaler Gateway. The concept is simple: use NetScaler Gateway s assessment of end-device posture to guide the application and desktop capabilities for complete end-to-end security and to eliminate data leakage. This approach permits the use of preauthentication and postauthentication checks as conditions for access to published resources, along with other factors. These additional factors include anything you can control with a XenApp or XenDesktop policy, such as printer bandwidth limits, client drive mapping, client clipboard access, client audio access, and client printer mapping. Any XenApp or XenDesktop policy can be applied on the basis of whether or not the user passes a NetScaler Gateway check. For example, a valid user on an endpoint that is company issued (as governed by a NetScaler Gateway endpoint scan) can be allowed an unlimited ICA session. However, the same user on an untrusted endpoint (lack of some evidence for trust in a search by a NetScaler Gateway endpoint scan) may be allowed only a circumscribed or highly controlled ICA session, with client drive mapping disabled, clipboard access disabled, etc. HDX Insight Visibility is a critical requirement for all enterprise deployments today, and in virtualization scenarios it is essential for remote-access use cases. HDX Insight is a NetScaler visibility technology that works with the NetScaler AppFlow engine, which can parse ICA ( HDX) traffic and provide visibility metrics to the HDX Insight collector for analytics and reporting. The HDX Insight module includes built-in reports

7 for user-access scenarios providing visibility across all layers. It also provides insight for troubleshooting use cases in which user access is slow and the reason may be latency on the client side of the network or a problem in a component in the data center. It can break down the latency metrics into multiple parts, showing every individual path of the access network. It also can help plot jitter, which can help explain a sudden problem in a user session. HDX Insight provides all this information across every application the user has accessed, enabling you to identify application-level problems. It can also provide cumulative information across applications and users, which makes it even more useful for troubleshooting use cases. HDX SmartAccess and HDX Insight are especially useful for XenApp and XenDesktop administrators and should be deployed in all use cases, along with NetScaler Gateway. Combining Cisco ASA and NetScaler Gateway As mentioned earlier, Cisco ASA and NetScaler Gateway have both similarities and independent strengths when deployed for secure remote access. By combining the two products, tremendous value is offered (Table 1). Table 1. Strengths of Cisco ASA and NetScaler Gateway Cisco Strengths Cisco is a market leader in networking and security, with an extremely large installed base of Cisco ASA, Cisco AnyConnect clients, and Cisco WebVPN deployments. The Cisco ASA 5500 Series provides IPsec and SSL remote-access VPN, site-to-site VPN, firewall, web security, and intrusion protection system (IPS) capabilities in one appliance. VPN features are easy to configure with the userfriendly and intuitive Cisco Adaptive Security Device Manager (ASDM), a simple GUI-based configuration tool. Appliances support up to 10,000 concurrent SSL VPN or IPsec VPN user sessions per appliance. Multiple appliances can be clustered together in either active-active or active-standby configurations to increase capacity. Load balancing is integrated into the appliances as well. The Cisco AnyConnect Secure Mobility Client modular approach enables enterprises to add modules that provide IEEE 802.1x, web security, server load balancing, and posture if they want. Strengths is a market leader in application and desktop virtualization, with world-class products including XenApp and XenDesktop. NetScaler is the industry s most advanced cloud network platform. It enables the data center network to become an endto-end service delivery fabric to optimize the delivery of all web applications, cloud-based services, virtual desktops, enterprise business applications, and mobile services. Cisco now recommends that enterprises purchase NetScaler for application load balancing. In fact, NetScaler is now embedded in Cisco Nexus switches. NetScaler Gateway provides the best secure application and data access for XenApp, XenDesktop, and XenMobile. NetScaler Gateway s HDX SmartAccess capabilities provide an excellent solution for providing strong data security while empowering users to work from anywhere. s application-level policies allow a level of control that is exceptional in the market, especially for access to XenApp and XenDesktop. HDX Insight is a powerful tool for administrators and provides excellent visibility into application behavior as well as insight into the network.

8 Why Combine? Enterprises often have multiple needs to address when providing secure remote access: VPN access from trusted devices HDX access from semitrusted devices Highly controlled HDX access from untrusted devices Cisco ASA is an excellent solution for accessing enterprise resources in the company network, and it provides outstanding security controls to manage this access. Cisco ASA provides both SSL and IPsec VPN offerings on the same appliance and scales well for enterprise needs. NetScaler Gateway is an excellent solution for accessing HDX resources running in XenApp and XenDesktop farms. NetScaler Gateway provides the best integration with these resources and offers extremely detailed policy controls to finetune the kind of session that end users can access based on user identity and as endpoint posture. Additionally, NetScaler Gateway can parse ICA traffic, providing insightful information to administrators. To implement these two distinct back-end resources through these two distinct gateway devices, the following options are available: Run both gateways in parallel, with end users accessing these gateways for the respective resources that the gateways control. For example, select Cisco ASA for VPN access to file shares, Microsoft Exchange Server, and Microsoft SharePoint. At the same time, select NetScaler Gateway to access HDX resources. Create a single gateway for access. NetScaler Gateway provides excellent value for XenApp and XenDesktop access, so you can use it to control access to these farms. Cisco ASA can be used as the single gateway to accept all traffic. Policies can be set up to make sure that all HDX traffic coming to the Cisco ASA device is routed to NetScaler Gateway. The second option, a single gateway, provides some advantages: The use of a single gateway from the end-user s perspective simplifies end-user access. Cisco ASA continues to provide transparent access to all company resources. NetScaler Gateway helps ensure flawless and secure access to HDX resources. As products on the back end evolve, so does NetScaler Gateway. Putting NetScaler Gateway in front of all HDX resources helps ensure that that the solution will continue to work as the back-end evolves. NetScaler Gateway offers HDX SmartAccess, with detailed policy controls to tune HDX sessions based on user identity and endpoint posture. NetScaler Gateway offers HDX Insight integration, which provides administrators with the tools to analyze and troubleshoot with insight across multiple layers of the stack.

9 Use Case: Cisco AnyConnect and Cisco ASA with NetScaler Gateway and HDX SmartAccess This use case (Figure 2) incorporates both the Cisco ASA SSL VPN Edition and the NetScaler Gateway to provide comprehensive end-to-end secure remote access to company resources with a focus on access to a back end ( XenDesktop and XenApp). XenDesktop Cisco ASA 550-X Web Interface and StoreFront NetScaler Gateway One-Arm XenApp Figure 2. Web Interface and StoreFront The role of the Cisco ASA is to provide SSL VPN access to the company network for all devices, including mobile devices, using both the Cisco AnyConnect Secure Mobility Client and Cisco WebVPN (clientless) after first assessing the posture of the connecting device and assigning the user to the appropriate dynamic access policy, through which the final attributes are assigned to the user s session. The NetScaler Gateway in this use case protects the back end and is configured to work with StoreFront, which is the successor to Web Interface and provides much more flexibility to end users with a self-service approach that allows users to choose the applications they see on the Receiver screen in subsequent connections. The NetScaler Gateway also assesses the posture of the user with Endpoint Analysis. Typical Security Policy Example Only remote company-owned and company-controlled assets are granted full network access using the Cisco AnyConnect client. Required checks for identifying company devices are: Process check File check Registry check Check for presence of Microsoft firewall Check for presence of antivirus software Noncompany assets such as a user s personally owned device are provisioned through a clientless (Cisco WebVPN) portal or Cisco AnyConnect client with restricted access to NetScaler. Required checks for identifying personal devices are:

10 Check for failure of any of the checks listed for company devices Check for presence of any firewall Check for presence of any antivirus software The solution presented here builds on the company and noncompany device security policies to implement two dynamic access policies on the Cisco ASA to control access: Tier-1 company owned: Cisco AnyConnect access without any restrictions Tier-2 noncompany owned: Portal and restricted Cisco AnyConnect access to NetScaler virtual server virtual IP address for access to the back end Cisco ASA Policy Configuration This configuration uses Cisco ASA v9.1(1) and Cisco ASDM 7.1(2). This example assumes that the Cisco ASA has the required basic configuration to allow SSL VPN access to the public interface. You configure simple checks using Cisco Secure Desktop HostScan on the Cisco ASA to define the required posture (Figure 3). Check the registry to determine whether the machine is joined to the cisco. domain. Check for the presence of a corp-asset-file.txt file. Check for a running process on the mcshield.exe device. Figure 3. Configuring the Policy

11 Using the HostScan results, you can configure additional checks directly in the dynamic access policy. Configure additional Tier-1 criteria (Figure 4). Authentication, authorization, and accounting (AAA) attribute = Lightweight Directory Access Protocol (LDAP) member of the group Endpoint attribute = Microsoft Windows 7 OS Logical expression to check for antivirus and firewall software (more likely checked as an endpoint attribute, but for the purpose of showing all dynamic access policy options, this example uses a logical expression) Figure 4. Configuring the Dynamic Access Policy NertScaler Gateway Configuration When the Cisco AnyConnect users launch Receiver, the client is configured to access the NetScaler Gateway virtual server that is configured using session policies to also identify the device using endpoint analysis. When client devices connect through NetScaler Gateway, a lightweight scan component similar to Cisco Secure Desktop HostScan is downloaded and run on the client device to detect its security posture (Figure 5).

12 XenDesktop Cisco ASA 550-X Web Interface and StoreFront Endpoint Analysis Sends Results NetScaler Gateway One-Arm Mode Initiates Scan Fails (Remediate) or Grants Access XenApp Figure 5. NetScaler Gateway Configuration In this use case, the Cisco ASA is terminating the VPN sessions, so the NetScaler Gateway does not need to thoroughly interrogate the endpoint again; only checks that are relevant for HDX SmartAccess are needed. Essentially, Cisco ASA is responsible for endpoint security, and NetScaler Gateway is responsible for performing endpoint analysis scans that are relevant for the back-end applications and desktops. On the NetScaler Gateway, you can configure session policies to control access to XenApp and XenDesktop using HDX SmartAccess. To configure HDX SmartAccess, you need to configure NetScaler Gateway settings on the Web Interface or StoreFront server and to configure session policies on the NetScaler Gateway. When you run the Published Applications Wizard, you can select the session policies you created for HDX SmartAccess to gain more detailed control. There are also two conditions similar to the dynamic access policies: Restrictive: The user fails the endpoint analysis but still receives access, but restrictions will be put in place. For example, not all applications may be available, or if the user is allowed access to XenDesktop, the user may not be permitted to map a drive to avoid the risk of a noncompany device. Nonrestrictive: The user passes the endpoint analysis and is granted access without any restrictions. For example, the user will be able to map a local drive to the virtual desktop infrastructure (VDI) and, if accessing XenApp, will be able to use all applications. For example, a simple HDX SmartAccess policy might use endpoint analysis to check the connecting device to make sure that a specific process is running to determine whether the session should be given nonrestrictive access or be subject to some restrictions. In the example here, the policy checks for the mcshield.exe process to make this decision. This example uses a virtual server configuration and creates a session policy and profile and binds it to the virtual server so that any users connecting will be subject to an endpoint analysis scan (Figure 6).

13 Figure 6. Creating a Simple HDX SmartAccess Policy To configure HDX SmartAccess, you also need to configure NetScaler Gateway settings on the Web Interface or StoreFront server and on XenApp and XenDesktop. When enforcing policy on applications, you run the Published Applications Wizard, where you can select the session policies you created for HDX SmartAccess to control access to the applications. In the example shown here, the Microsoft Calculator, Notepad, and WordPad applications are being published (Figure 7). A filter is applied to the Microsoft WordPad application that specifies that this application will be available to a remote user connecting through NetScaler Gateway if, and only if, endpoint analysis scans verify that the mcshield. exe process is running. (Note that the endpoint analysis scan could be configured for a multitude of checks, including checks for registry information, files, processes, and the presence of antivirus software.) Figure 7. Applying a Filter to Verify the Presence of a Process Summary With Cisco ASA and the Cisco AnyConnect client providing secure encrypted access to the company network for all devices, and the NetScaler Gateway with HDX SmartAccess providing access controls for the back-end infrastructure, this combined solution provides comprehensive end-to-end policy control for secure remote access.

14 Use Case: Cisco WebVPN (Clientless) and Cisco ASA with NetScaler Gateway and HDX SmartAccess This use case (Figure 8) incorporates the Cisco ASA SSL VPN Edition and the NetScaler Gateway with HDX SmartAccess to provide comprehensive end-to-end secure remote access to company resources with a focus on access to a back end ( XenDesktop and XenApp). XenDesktop Cisco ASA 550-X XenApp NetScaler Gateway Web Interface and StoreFront Figure 8. Cisco WebVPN (Clientless) and Cisco ASA with NetScaler Gateway and HDX SmartAccess Use Case The role of Cisco ASA is to provide SSL VPN access to the company network for users using the Cisco WebVPN (clientless) solution. Cisco WebVPN could be the primary remote-access solution or an alternative choice for uncontrolled company assets. Cisco ASA, as mentioned earlier, provides comprehensive support for users accessing resources when Cisco WebVPN is used; however, what the solution lacks, and what the NetScaler Gateway can add, is HDX SmartAccess for more detailed granular control over the XenApp and XenDesktop resources. As in the preceding use case, Cisco ASA assesses the posture of the user s device and assigns the dynamic access policy based on the specified criteria, which is less stringent because the user does not receive full network access when using Cisco WebVPN. The NetScaler Gateway in this use case again protects the back end and is configured to work with StoreFront. The NetScaler Gateway also assesses the posture of the user with endpoint analysis and applies a filter based on the endpoint analysis scan results. Typical Security Policy Example for Clientless Access This example permits Cisco WebVPN (clientless) access to a user who meets the following requirements: Successfully authenticates and is a member of the Active Directory group Uses Microsoft Windows 7 or MAC OS X Uses any antivirus software Uses any personal firewall software

15 If the user meets these requirements, the user is assigned the Tier-2 dynamic access policy, which applies a bookmark on the portal to permit access to NetScaler and NetScaler Gateway (Figure 9). Check for Any Antivirus and Any Firewall Software Figure 9. Configuring Clientless Access Policy The policy configuration on the NetScaler Gateway is performed in the same way as shown in the preceding use case. After successfully logging in, the user is presented with the a portal with the NetScaler Gateway URL published for access to StoreFront, with access subject to additional posture assessment by the NetScaler Gateway and HDX SmartAccess endpoint analysis scans (Figure 10). Figure 10. Access Portal Summary As is evident from the preceding configuration, NetScaler Gateway provides access to XenApp and XenDesktop resources while being published as a bookmark on the Cisco web portal. After clicking the bookmark, the user is presented with the

16 NetScaler Gateway login page (single sign-on [SSO] can be configured to eliminate this step). After the user enters the appropriate credentials, the user will be subject to the endpoint analysis scan and, depending the results and the filter applied, the permitted applications will be available. With this use case, only the NetScaler Gateway and HDX SmartAccess can enforce the detailed policy to limit specific applications on XenApp or restrict certain functions for XenDesktop such as drive mapping and clipboard access. Conclusion This document provides information about individual Cisco ASA and NetScaler Gateway functions that are used by numerous organizations. For many Cisco ASA deployments with full VPN capabilities, NetScaler Gateway provides HDX SmartAccess policies and HDX Insight capabilities and integrates with XenApp and XenDesktop environments. Using these Cisco and solutions together provides enterprises with the flexibility they need from their investments.

18 About Systems, Inc. (NASDAQ:CTXS) transforms how businesses and IT work and people collaborate in the cloud era. With market-leading cloud, collaboration, networking and virtualization technologies, powers mobile workstyles and cloud services, making complex enterprise IT simpler and more accessible for 260,000 organizations. products touch 75 percent of Internet users each day and it partners with more than 10,000 companies in 100 countries. Annual revenue in 2011 was $2.21 billion. Learn more at www.. 2013 Systems, Inc. All rights reserved., Receiver, CloudGateway, ShareFile, HDX and XenDesktop are trademarks or registered trademarks of Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are property of their respective owners. About Cisco Cisco Systems, Inc. (NASDAQ:CSCO) has shaped the future of the Internet by creating unprecedented value and opportunity for our customers, employees, investors and ecosystem partners and has become the worldwide leader in networking transforming how people connect, communicate and collaborate. Annual revenue in 2013 was $12.4 billion. Learn more at www. 2013 Cisco Systems, Inc. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www./go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) 1113/PDF