topic Re: High Availability in Web Security

High Availability

Kelvin Willacey — Fri, 03 Dec 2010 20:43:16 GMT

Hi does anyone know if their is currently any high availability solution for the WSA? That is I can deploy two devices and when one fails the other takes over, thanks.

Re: High Availability

mark.dorsey — Sat, 04 Dec 2010 00:42:00 GMT

The IronPort does not offer the same "Failover" that is built into the BlueCoat product (if you are familiar with that one), so a couple of options could be to either use a load balancer or a PAC file to perform that function. I currently use a PAC file with a Return statement of: " PROXY x.x.x.x:8080; PROXY x.x.x.x:8080"; " in order to accomplish a poor man's fail-over. It is not a great solution in that the users’ browser has to time-out in order to utilize the second proxy and as well there are some caching issues... once that time-out occurs the browser must be restarted in order to utilize and or attempt to utilize the first proxy again. There are some custom options for setting IE to not cache in that manner... if you want to tinker under the hood at the registry level. In addition - for systems that can't utilize a PAC file I have a DNS record that round-robins the two proxy ip's... but this has its own caveats as well. Hope that helps!

Re: High Availability

ana.peric — Thu, 30 Dec 2010 16:27:30 GMT

Hi All,

Actually here is how you could achieve high availability if you use WSA boxes as transparent proxies:

1. Using WCCP as transparent redirection method - If you have Cisco (or WCCP enabled) router you could deploy 2 WSA's in different WCCP clusters (service groups), and make active-passive WSA design.

WSA-1 -------

wccp router --fa0/0------- clients

WSA-2 -------

Take a look at small diagram above.

If we suppose you clients traffic is flowing to wccp router's interface fa0/0, and WSA-s are logically connected to router as decribed:

1. configure ip wccp gorup X and Y on router.

ip wccp v2

ip wccp redirect-list

ip access-list e

deny something you do not want to send to WSA's

permit tcp any eq www

permit tcp any eq 443

2. configure WCCP group X (primary group) on WSA-1, with router ID that equals to some wccp loopback on wccp router (loopback is the best option bicause it is always reachable)

3. configure WCCP group Y (secondary WCCP service group) on WSA-2, with router ID that equals to some wccp loopback on router

4. The key point is configuration of WCCP redirection on router's interface:

int fa0/0

ip wccp redirect in

So what happens here: as long as the wccp service group with higher WCCP priority has WCCP Cach engines active, traffic will be redirected to primary WSA-1.

If WSA-1 is not reachable (and thus primary wccp group has no WCCP cache engines active), users traffic will be redirected to WSA-2 cache engine that belongs to WCCP secondary group with lower WCCP priority.

If you want whole router config, I could send you...

2. Method -Transparent redirection with PBR

Use policy based routing...

Set ip next-hot primaryIP and after that ip next-hop secondaryIP...

I hope I helped you...

If I was not clear (and this is most likely, since I'm working 12h now ), please tell me, I'll try to be more "understandable" .

Cheers,

Ana