Page 1 of 22

Lab 16: pxGrid and WSA Integration

Lab Overview
This lab covers integration between Cisco Web Security Appliance (WSA) and Cisco Platform Exchange Grid
(pxGrid). In this lab, you will generate Certificate Signing Requests (CSR) on all the digital certificates required for
ISE, pxGrid, and HTTPS proxy. You will also perform configuration tasks on the Cisco Web Security Appliance (WSA)
and register the WSA as a pxGrid client to Cisco ISE. Additionally, you will download the Security Group Tag (SGT)
information. You will create a decryption policy and a web access policy.

Estimated Completion Time

60 minutes

Lab Procedures
• Configure ISE Certificates for REST and pxGrid

• Verify the WSA Configuration

• Configure Security Groups, Policy, and pxGrid on ISE

• Configure pxGrid on the WSA

• Create WSA Identity and Access Policies

• Test Corporate Policy

Perform Only If You Have Done a Reset

If you have performed a reset to this lab or are using the Global Knowledge e-Labs (meaning that you are
accessing the system after you have attended the 5 day course), you will need to prepare or verify the
environment. Perform the following:

Access the module in the lab guide titled Post Reset and follow the directions there.

Task 1: Configure ISE Certificates for REST and pxGrid

A Cisco ISE deployment needs system certificates without wildcards in the subject or the subject alternative name
(SAN) to support REST API and pxGrid. In this exercise, you will generate a Certificate Signing Request and obtain a

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 2 of 22

certificate signed by an enterprise CA. Since both the pxGrid controller and clients in ISE, and the pxGrid client in
WSA are maintaining their own trust stores, there is no need to obtain certificates signed by a well-known CA.

1. Configure ISE Certificates.

1.1. From Admin-PC, use Firefox to log in to ISE as admin/admin$Pwd.

1.2. Inspect the existing system certificate. Navigate to Administration > System > Certificates > System
Certificates. Select ise Admin Wildcart Cert and then Edit.

Note: The certificate has a wildcard SAN - DNS:*.gklabs.com. Wildcard certificates cannot be used for pxGrid and
REST API operations.

1.3. Navigate to Certificate Signing Requests from the left Certificate Management panel and click Generate
Certificate Signing Requests (CSR). Configure as follows.

Attribute Value

Certificate(s) will be used for pxGrid

Node ise

Common Name (CN) $FQDN$

Organizational Unit (OU) pxGrid

Organization (O) GKLABS

City (L) Cary

State (ST) NC

Country (C) US

Key Length 2048

Digest to Sign With SHA-256

1.4. The request should look as follows.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 3 of 22

1.5. Click Generate.

1.6. Click OK on Successfully generate CSR(s) pop-up to close it.

1.7. Select ise#pxGrid then click View and select CSR Contents.

1.8. Select all contents and copy to clipboard, then click Close.

1.9.
In Firefox, open another tab and use the GK Certs bookmark to navigate to http://data-
srv.gklabs.com/certsrv and log in as admin/admin$Pwd.

1.10. Select Request a certificate > Advanced Certificate Request, and paste (Ctrl+V) the copied text from the
CSR into the text box for Base-64-encoded certificate request.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 4 of 22

1.11. Select Certificate Template pxGrid and click Submit.

1.12. On the Certificate Issued page, select Base 64 encoded and then click Download certificate.

1.13. Choose Save. Take note of the filename as in the figure below. Here it is certnew.cer; your file name may
be different.

1.14. After the file downloads, navigate to the Downloads folder and rename the file as ise-pxgrid.cer.

1.15. Close the browser tab for the AD Certificate Services.

Note: The root CA certificate that signed this certificate was previously imported for this ISE deployment. In case
your deployment has not yet imported the certificates of the CA chain previously, you should do so prior to
binding the system certificate in next step.

1.16. Return to ISE, select (check) the ise#pxGrid certificate, and then select Bind Certificate > Browse >
Downloads > ise-pxgrid.cer.

1.17. Configure as follows.

Attribute Value

Friendly Name Ise pxGrid

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 5 of 22

Validate Certificate Extenstions Enabled

Usage pxGrid

1.18. Click Submit. Your System Certificates should look as follows.

Task 2: Verify the WSA Configuration

The Cisco WSA has been configured for network operation. The HTTPS is enabled and will be configured for web
site decryption to deny employees from accessing Facebook.

2. Verify the WSA Network Configuration.

2.1. From the topology diagram, power on the WSA VM by right clicking it and choosing Play This VM. The VM
will take some time to boot.

2.2. From the Admin-PC, open another tab in Firefox and use the WSA bookmark to browse to
http://10.10.0.3:8080.

2.3. Log in with the default credentials admin/admin$Pwd.

2.4. Navigate to System Administration > Configuration Summary. Security Services should look as follows.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 6 of 22

Note: Web Proxy is enabled and set to Transparent. For the sake of simplicity, you will configure the endpoint for
explicit redirect. Transparent Mode supports explicit redirect. Also HTTPS Proxy is enabled to allow for SSL
Decrypt.

2.5. Administrative Settings should look as follows.

2.6. Network Settings should look as follows.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 7 of 22

Note: The configured hostname is wsa.gklabs.com, DNS is set to 10.10.1.25 (Data-Srv). The WSA is configured to
use a single interface: M1 for management and data using IP address 10.10.0.3 and default gateway 10.10.0.2
(L3-Switch).

2.7. Navigate to Security Services > Web Proxy and verify the default HTTP Ports to proxy are 80 and 3128.

2.8. Navigate to Security Services > HTTPS Proxy and verify the settings appear as below.

Note: The Root Certificate and Key for Signing have already been imported from the GKLABS CA. All Decryption
options are enabled and the default Invalid Certificate Options are set.

2.9. Navigate to Network > Certificate Management > Manage Trusted Root Certificates.

Note: The Data-Srv has already been imported as a Trusted Root.

Task 3: Configure Security Groups, Policy, and pxGrid on ISE

Cisco TrustSec Security Groups can be used to enforce network access. Two Security Groups (Employees and
Guests) will be used and assigned to ISE authorization rules. They will differentiate between 802.1X authenticated
employees and unauthenticated guests.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 8 of 22

In the later exercises, the WSA will subscribe to the TrustsecMetaData pxGrid capability and download the SGT
information. WSA identification profiles and web security access policies will be created to deny Social Media
access for users tagged with Employees and allow non-restricted Internet access for Admins.

3. Configure Security Groups.

3.1. Go back to the ISE GUI.

3.2. Navigate to Work Centers > TrustSec> Components > Security Groups.

3.3. The right-hand pane shows a list of built-in entries. You will use one security group from the list,
Employees, and you will create another called Admins.

3.4. Click Add and configure as follows.

Attribute Value

Name Admins

Description Admin Security Group

3.5. Click Submit.

3.6. Navigate to Policy > Policy Sets> Wired > Authorization.

3.7. Edit the Employee-Compliant rule and configure as follows.

Attribute Value

Name Employee-Compliant

Conditions Leave as is

Then Employee Access AND Employees (security group)

3.8. Click Done when finished.

3.9. To the right of Employee-Compliant, select and duplicate above. Then configure the new rule as follows.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 9 of 22

Attribute Value

Name Admin-Compliant

Conditions GKLABS:ExternalGroups EQUALS gklabs.com/Users/Domain Admins AND Network Access:EapTunnel

EQUALS EAP-FAST AND Network Access:EapChainingResult EQUALS User and machine both
succeeded AND Session:PostureStatus EQUALS Compliant

Then Employee Access AND Admins (security group)

3.10. Click Done and Save when finished.

4. Enable pxGrid.

4.1. Navigate to Administration > System> Deployment. Then select the ise node. Scroll down and enable the
pxGrid service.

4.2. Click Save when done.

4.3. Navigate to Administration > pxGrid Services and verify it shows Connected to pxGrid at the lower left
corner. The admin and mnt personas should also show as registered clients.

Note: It takes a several minutes to see Connected to pxGrid. You may monitor the progress via the ISE admin CLI
using the command show application status ise, and verifying the four pxGrid services are running. After the
services show as running, it will still be several minutes before the personas show as clients. Be patient, in

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 10 of 22

production this would be a onetime change. Refresh every two minutes; in development the Clients showed up
in about 5 minutes.

ise/admin# show application status ise

ISE PROCESS NAME STATE PROCESS ID

--------------------------------------------------------------------
…<Output Omitted>…
VA Service disabled
pxGrid Infrastructure Service running 11325
pxGrid Publisher Subscriber Service running 11658
pxGrid Connection Manager running 11585
pxGrid Controller running 11694
PassiveID Service disabled
DHCP Server (dhcpd) disabled
DNS Server (named) disabled

4.4. Click the Settings tab and verify Automatically approve new accounts is selected.

Task 4: Configure pxGrid on the WSA

Cisco pxGrid requires that a pxGrid client, such as WSA, present a client digital certificate to secure connections to
the ISE pxGrid controller. It is best practice to use an enterprise CA to sign certificates for both the pxGrid client
and the ISE pxGrid node. In previous section, ISE pxGrid controller has been configured with a CA-signed pxGrid
certificate.

Note: pxGrid certificates use a customized template containing an EKU for both client authentication and server
authentication.

5. Configure WSA access logs.

5.1. In Firefox, access the WSA GUI.

5.2. Go to System Administration > Log Subscriptions.

5.3. Click accesslogs. Under Custom Fields (optional), add %m.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 11 of 22

Note: %m is used to troubleshoot authentication issues as it indicates the authentication mechanism used on the
transaction.

5.4. Click Submit. (Be patient here.)

5.5. Click Commit Changes > Commit Changes.

6. Configure Identity Services Engine on the WSA.

6.1. Navigate to Network > Identification Services > Identity Service Engine > Enable and Edit Settings.

6.2. Enter ISE Server: ise.gklabs.com.

6.3. Scroll down and, under WSA Client Certificate, select Use Generated Certificate and Key.

6.4. Click Generate New Certificate and Key.

6.5. Under Generate Certificate and Key, enter the following:

◾ Common Name: pxgrid.wsa.gklabs.com

◾ Organization: GKLABS

◾ Organization Unit: pxGrid

◾ Country: US

◾ Duration: 12 months

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 12 of 22

Note: The common name is chosen to be descriptive, and a short expiration (12 months) is used here for the self-
signed cert.

6.6. Click Generate.

6.7. Click Submit.

6.8. Click Commit Changes > Commit Changes.

6.9. Click Edit Settings.

6.10. Under WSA Client Certificate, Use Generated Certificate and Key, click Download Certificate Signing
Request.

6.11. Download and save the file; you should see WSA_ISE_csr.pem.

6.12. Edit with Notepad++, and highlight and copy everything in between starting from -----BEGIN CERTIFICATE
REQUEST---- to the end of -----END CERTIFICATE REQUEST---- .

6.13. In Firefox, open a new tab and use the GK Certs bookmark to go to http://data-srv.gklabs.com/certsrv and
log in as admin/admin$Pwd.

6.14. Click Request Certificate and then Advanced Certificate Request.

6.15. Paste into the Base-64 encoded certificate request. Select Certificate Template > pxGrid.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 13 of 22

6.16. Click Submit.

6.17. Select Base 64 encoded format and Download Certificate.

6.18. Save the file. (Make sure to take note of the file name on download. Most likely it is certnew.csr.)

6.19. After download, rename the file to wsa_pxgrid.cer.

6.20. Open the certificate, click Details and verify that the Enhanced Key Usage shows Client Authentication and
Server Authentication.

6.21. Click OK when finished with the verification.

6.22. Go back to the WSA and under WSA Client Certificate > Use Generated Certificate and Key > Signed
certificate, browse for the new signed certificate, WSA_pxgrid.cer.

6.23. Click Upload File. Notice that the Expiration Date changed to about 5 years from now. (This is based on the
pxGrid Template used to request the cert from the CA.)

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 14 of 22

6.24. Under Primary ISE pxGrid Node: > Certificate: click Browse… Navigate to Desktop\ISE\GKLABS CA\Data-
Srv Root Cert.cer and click Upload File.

6.25. Under ISE Monitoring Node Admin Certificate: > Certificate: click Browse… Navigate to
Desktop\ISE\GKLABS CA\Data-Srv Root Cert.cer and click Upload File.

6.26. Scroll to the bottom and under Test Communication with ISE Nodes, select Start Test; you should see that
all tests were completed successfully.

Checking DNS resolution of ISE pxGrid Node hostname(s) ...

Success: Resolved 'ise.gklabs.com' address: 10.10.2.50

Validating WSA client certificate ...

Success: Certificate validation successful

Validating ISE pxGrid Node certificate(s) ...

Success: Certificate validation successful

Validating ISE Monitorting Node Admin certificate(s) ...

Success: Certificate validation successful

Checking connection to ISE pxGrid Node(s) ...

Success: Connection to ISE pxGrid Node was successful.
Retrieved 18 SGTs from: ise.gklabs.com

Checking connection to ISE Monitorting Node (REST server(s)) ...

Success: Connection to ISE Monitorting Node was successful.
REST Host contacted: ise.gklabs.com

Test completed successfully

.

Note: If the connection to the ISE pxGrid server timed out, check ISE pxGrid Services page to see whether it is
waiting for approval on the pxGrid client registration.

6.27. Click Submit.

6.28. Select Commit Changes > Commit Changes.

6.29. Go back to the ISE GUI.

6.30. Navigate to Administration > pxGrid Services. Verify that the WSA has registered as a pxGrid client, and
has subscribed to the SessionDirectory and TrustSecMetadata Capabilities.

Note: This may take a moment to show. Click Refresh to monitor the progress. If it has been longer than five
minutes without success, reboot the WSA by accessing the CLI and issuing the reboot command.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 15 of 22

Task 5: Create WSA Identity and Access Policies

The WSA will use the Identification profiles to identify users authenticated with ISE and associate them to the
Security Group Tags (SGT). The WSA access policies then determine the corporate web security profiles based on
these SGTs. In this task, an identification profile will be created for ISE. A WSA access policy will be created to deny
802.1X authenticated users tagged with Employees from accessing Facebook.

7. Create an Identification Profile.

7.1. Access the WSA GUI.

7.2. Navigate to Web Security Manager > Authentication> Identification Profiles.

7.3. Click Add Identification Profile… and configure as follows.

Attribute Value

Client / User Identification Profile Settings

Name ID by ISE

User Identification Method

Identification and Authentication Transparently identify users with ISE

Fallback to Authentication Realm or Guest Privileges Block Transactions

7.4. Click Submit. Do not commit changes yet.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 16 of 22

7.5. Navigate to Web Security Manager > Web Policies > Access Policies.

7.6. Click Add Policy and configure as follows.

Attribute Value

Policy Settings

Policy Name ISE Corp Access

Policy Member Definition

Identification Profiles and Users Select One or More Identification Profiles

Identification Profile ID by ISE

Authorized Users and Groups Selected Groups and Users

7.7. Click No tags entered.

7.8. Under Secure Group Tags > Secure Group Tag Search, check Employees.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 17 of 22

7.9. Click Add and then click Done.

7.10. You should see that Employees has been included in the Authorized Secure Group Tags policy.

7.11. Click Submit. You should see the following:

7.12. Click (global policy) to override the default URL Filtering for ISE Corp Access.

7.13. Under Predefined URL Category Filtering, block Social Networking.

7.14. Click Submit when finished.

7.15. Select Commit Changes > Commit Changes. Your access policy should look as follows.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 18 of 22

Task 6: Test Corporate Policy

Organizations may have certain corporate security policies that they must observe. Among them would be for
corporate employees not to use social applications such as Facebook.

8. Test employee access from the User-PC.

8.1. Access the User-PC and log in as employee1/gklabs.

8.2. It will take some time, but wait for AnyConnect to run the System Scan and verify that the endpoint is
compliant and you have Network Access.

8.3. Access the L3-Switch and issue the command to verify the session.

L3-Switch#show authentication sessions int g0/2 details

Interface: GigabitEthernet0/2
MAC Address: 0050.5600.0022
IPv6 Address: Unknown
IPv4 Address: 10.10.10.20
User-Name: [email protected]
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Common Session ID: 0A0A02010000001D022F293D
Acct Session ID: 0x00000028
Handle: 0x95000011
Current Policy: POLICY_Gi0/2

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:
ACS ACL: xACSACLx-IP-EMPLOYEE_ACL-5818b1de

Vlan Group: Vlan: 7

SGT Value: 4

Method status list:

Method State

mab Stopped
dot1x Authc Success

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 19 of 22

Note: The user has successfully logged on and has authenticated via 802.1X, and the session has been assigned
the SGT value of 4.

9. Configure browsing for explicit proxy and test the WSA pxGrid integration.

9.1.
On the User-PC, open Chrome and select Configure > Settings.

9.2. Click Show advanced settings and navigate to Network > Change proxy settings…

9.3. On the Connections tab, click LAN Settings and configure as follows.

Attribute Value

Automatically detect settings disable

Use a proxy server for your LAN enable

Address 10.10.0.3

Port 3128

9.4. Click OK twice and close the Settings tab.

9.5. On the User-PC, in Chrome and try to access https://www.facebook.com.

Note: You should see a message “This Page Cannot Be Displayed”.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 20 of 22

9.6. Also note that the site certificate is wildcard and issued by WSA HTTPS Proxy.

9.7. On the Admin-PC, use SecureCRT to log in to the WSA (10.10.0.3) as admin/admin$Pwd.

9.8. Issue in turn the commands: isedata, cache, and show. Note the IP-Name-SGT mapping.

wsa.gklabs.com> isedata

Choose the operation you want to perform:

- STATISTICS - Show the ISE server status and ISE statistics.
- CACHE - Show the ISE cache or check an IP address.
- SGTS - Show the ISE Secure Group Tag (SGT) table.
[]> cache

Choose the operation you want to perform:

- SHOW - Show the ISE ID cache.
- CHECKIP - Query the local ISE cache for an IP address

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 21 of 22

[]> show

IP Name SGT#
10.10.10.20 [email protected],host/User-PC.gklabs.com 4
10.10.10.50 00:50:56:00:00:24 0

9.9. Press Enter until you are placed back at the WSA prompt. Then tail the access log to view latest network
access activity by issuing the tail command followed by the number 1.

wsa.gklabs.com> tail

Currently configured logs:

1. "accesslogs" Type: "Access Logs" Retrieval: FTP Poll

…<Output Omitted>…

18. "ise_service_log" Type: "ISE Service Logs" Retrieval: FTP Poll

…<Output Omitted>…

Enter the number of the log you wish to tail.

[]> 1

1479307303.557 123 10.10.10.20 TCP_DENIED_SSL/403 0 GET https://www.facebook.com:443/

"[email protected],host/user-pc.gklabs.com" NONE/- - BLOCK_WEBCAT_12-ISE_Corp_Access-ID_by_ISE-NONE-
NONE-NONE-NONE < IW_snet,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_snet,-,"-","-
","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - SSO_ISE
1479307303.674 61 10.10.10.20 TCP_DENIED_SSL/403 0 GET https://www.facebook.com:443/favicon.ico
"[email protected],host/user-pc.gklabs.com" NONE/- - BLOCK_WEBCAT_12-ISE_Corp_Access-ID_by_ISE-NONE-
NONE-NONE-NONE < IW_snet,2.6,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_snet,-,"-","-
","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - SSO_ISE

Ctrl-C (to exit the log)

Note: You should see entries like the ones above. You may need to attempt to access Facebook again if other
sites have been browsed. The output to the access log will not be real time, rather, expect several seconds of
delay.

Use Ctrl-C to exit the log. Also of interest is log number 18, the ise service log.

9.10. Access the WSA GUI.

9.11. Navigate to Reporting > Users. Scroll Down and select employee1. Note the blocked transactions under
Policies matched.

9.12. Scroll down and note the Policies matched indicates the ISE Corp Access policy.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017
 Page 22 of 22

Note: It is left to you to test the User-PC as admin/admin$Pwd. If you do, remember to configure Chrome for
explicit proxy on 10.10.0.3 port 3128. You should be able to get to Facebook and your results will look as follows
from the WSA CLI.

9.13. Tail access logs output.

1479308464.566 399 10.10.10.20 TCP_MISS_SSL/200 2082 POST https://www.facebook.com:443/ajax/bz

"[email protected],host/user-pc.gklabs.com" DIRECT/www.facebook.com text/plain DEFAULT_CASE_12-
DefaultGroup-ID_by_ISE-NONE-NONE-NONE-DefaultGroup < IW_snet,2.6,0,"-",0,0,0,1,"-",-,-,-,"-",1,-,"-","-",-
,-,IW_snet,-,"Unknown","-","Facebook General","Facebook","-","-",41.74,0,-,"Unknown","-",-,"-",-,-,"-","-
"> - SSO_ISE
1479308471.728 548 10.10.10.20 TCP_MISS_SSL/200 1886 POST https://www.facebook.com:443/ajax/bz
"[email protected],host/user-pc.gklabs.com" DIRECT/www.facebook.com text/plain DEFAULT_CASE_12-
DefaultGroup-ID_by_ISE-NONE-NONE-NONE-DefaultGroup < IW_snet,2.6,0,"-",0,0,0,1,"-",-,-,-,"-",1,-,"-","-",-
,-,IW_snet,-,"Unknown","-","Facebook General","Facebook","-","-",27.53,0,-,"Unknown","-",-,"-",-,-,"-","-
"> - SSO_ISE

9.14. isedata, cache, show output.

IP Name SGT#
10.10.10.20 [email protected],host/User-PC.gklabs.com 16
10.10.10.200 [email protected] 0

10. Disable pxGrid.

10.1. Navigate to Administration > System> Deployment. Then select the ise node. Scroll down and disable the
pxGrid service.

10.2. Click Save.

Lab Complete

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L16.htm 20/09/2017