topic wsa design and deployment guide in Web Security

wsa design and deployment guide

mulhollandm — Wed, 21 Aug 2013 23:10:41 GMT

folks

i have 2 data centres to deploy a number of wsa appliances into

i'll have 4 in each

the ironports will be deployed into dmzs on an internet facing firewall

on my internal network i'll have an load blancer directing traffic to the appliances in both data centres

is there a deployment guide for such a design setting out pros and cons or have any of you a link to a guide

thanks to anyone taking the time to read this or to reply

wsa design and deployment guide

Vance Kwan — Thu, 22 Aug 2013 05:48:00 GMT

Is there a specific reason why you would want your WSA in the DMZ? Deployments where you are servicing traffic from hosts behind a different interface of the firewall is typically not supported. But if you must, can you be a little more specific as to how you will be directing the traffic via the load balancer?

-Vance

wsa design and deployment guide

mulhollandm — Tue, 03 Sep 2013 12:28:12 GMT

vance

apologies for taking so long to get to you but i'm been off on other tasks

the proxies are in a dmz for policy reasons and they will also service traffic from other dmzs

clients will have the load balancer's ip configured as their explicit proxy and so forward all traffic, unless defined as an exception, to the load balancer

the load balancers will then forward traffic to the upstream ironports using round robin or least connections as the load balancing algorithm

i need to consider how to authenticate users from the dmz to the internal ad servers (i may just have to open a firewall rule for specific traffic) the context directory agent look like a viable option

at a later stage i may use the load balancer to send traffic for particular urls to particular ironports

thanks again

wsa design and deployment guide

Vance Kwan — Thu, 05 Sep 2013 04:48:50 GMT

This is going to be a complex deployment and there are things you need to consider. I do not believe there is a guide for this.

First off, when the traffic leaves the load balancer, what source IP will it have? Clients'?

-Vance

wsa design and deployment guide

Chris Illsley — Thu, 05 Sep 2013 08:07:27 GMT

Hi,

Regarding the authentication, the thing to remember this all goes by the management port, I don't know what ports it uses.

Could the management port be on the internal network?

Thanks

Chris

wsa design and deployment guide

mulhollandm — Thu, 05 Sep 2013 22:32:30 GMT

vance

thanks for getting back in touch

when the traffic leaves the load balancer the source ip will be the client address

i've installed the c670s today with m1 in my management dmz and p1in the proxy dmz

i've a bit to learn on these boxes it think

wsa design and deployment guide

mulhollandm — Thu, 05 Sep 2013 22:34:08 GMT

mooncat76

thanks for your reply

the management port has to be in the dmz

wsa design and deployment guide

Vance Kwan — Fri, 06 Sep 2013 04:37:49 GMT

Assuming that you can overcome the challenges of crossing the security zones on your Firewall, these deployments will work. Will you be giving your Intranet full access to the DMZ? Because that's what it sounds like you will need to do with this setup.

wsa design and deployment guide

Chris Illsley — Fri, 06 Sep 2013 13:24:16 GMT

Or just put the intranet as an exception either in the PAC file or browser settings.

Cheers

Chris

wsa design and deployment guide

mulhollandm — Sun, 08 Sep 2013 21:59:04 GMT

vance

i've implemented my topology

the internal lan has a load balancer

the web dmz manages web requests

the management dmz handles ssh/https management requests to the box

i now have to consider authentication methods

i have users in a number of domains that i need to authenticate, how can i do this?

i don't want to join a domain as the c670s are in a dmz

thanks again

wsa design and deployment guide

Chris Illsley — Mon, 09 Sep 2013 06:54:24 GMT

Hi,

You can configure one NTLM realm, for additional realms you will need to use LDAP.

Thanks

Chris