topic IronPort design and load balance in Web Security

IronPort design and load balance

Carlos Morais — Thu, 28 Jun 2012 16:39:49 GMT

I'm about to start a new project involving IronPort Web Security appliances. I have two S370 appliances and a couple of doubts regarding architecture and load balancing and I would like your help to clarify them. I'm sending a visio file (and also a jpeg image, just in case) attached with the current architecture and the desired position for the S370 appliances.

90% of the users will work with explicit proxy, but there are a few machines the aren't proxy aware, so it will be necessary to use also transparent proxy for this cases (http, https and ftp).

And my doubts are:

- Can I use WCCP redirection ingress in the VLAN X on the 6500 in order to get transparent proxy to work or are there any limitations?

- What is the best way to load balance the two proxies? Is it better to use WCCP or PAC file? I can also put the S370 appliances behind the CSM and redirect the traffic to proxies' virtual IP...

Thanks for your help.

Best regards,

Carlos

IronPort design and load balance

Ken Stieers — Thu, 28 Jun 2012 17:25:58 GMT

Hey Carlos,

Yes, I believe you can put it on the ingress on VLAN X, but do you want to? Is the pipe between the 6500 and the ASA a seperate VLAN? and wouldn't you rather put it there? or on Egress from the 6500? I'd put the WCCP as close to the internet exit as possible, so that the traffic that isn't bound for the internet doesn't get fed to the WSAs...

As far as load balancing goes, you'll have to do both WCCP and PAC file, since you have users that are both transparent (WCCP) and using proxy config...

I'm not sure how happy WCCP is going through the CSM, and that's just one complication that I'd skip completely if you can...

Ken

IronPort design and load balance

Carlos Morais — Tue, 10 Jul 2012 14:53:42 GMT

Hi, Ken.

Thanks for your answer and sorry for taking so long to get back to you. I'll take your guidelines into consideration... but I just have one additional doubt:

"The only topology that the ASA supports is when client and cache engine are behind the same interface of the ASA and the cache engine can directly communicate with the client, without going through the ASA."

(http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_wccp.html#wp1135991)

So, assuming that I'm going to apply WCCP Redirect in the ASA, I'm still going to have a problem because although clients and IronPort appliances will be behind interface "Inside" of the ASA, they will be placed in different VLANs/subinterfaces, right?

Thank you,

Best regards,

Carlos Morais

IronPort design and load balance

Ken Stieers — Tue, 10 Jul 2012 15:00:45 GMT

No, you'll be fine... the section that you quoted is the salient point... You can subnet/route/etc behind the ASA, you just can't have the traffic between the client and the WSA have to go THROUGH the ASA (eg, no putting the WSA on the DMZ interface, and clients on the inside interface...)

Ken

IronPort design and load balance

Carlos Morais — Tue, 10 Jul 2012 15:06:12 GMT

Ok, thanks!

But (because I dind't explain myself very well - the question was not related with the diagram above), even if the ASA is responsible for routing traffic between client's subinterface and IronPort's subinterface (both behind "Inside" interface) I won't have any problem regarding WCCP redirection, right?

Best regards,

Carlos Morais

IronPort design and load balance

Ken Stieers — Tue, 10 Jul 2012 15:09:42 GMT

You mean that you're using the ASA as a router for the 2 vlans? You may have issues with that... at that point, the traffic between the VLANs is going "through the ASA" and it may not work...

IronPort design and load balance

Carlos Morais — Tue, 10 Jul 2012 15:22:51 GMT

Exactly, that was what I was afraid of. I'm not using ASA for routing traffic between (client and IronPort appliance) VLANs now, but I may use in the future and I just wanted to clarify this.

Thanks for your help!

Best regards,

Carlos Morais