Solved: Re: Best Practice PAC Location on WSA

LY YIHEANG · ‎06-01-2023

Dear Team,

We have two WSA running in explicit proxy. We would like to store proxy pac file on WSA and we want client go with primary WSA as always and failover only if Primary WSA down.

So is there any way to archive this goal?

Note: Normally Proxy PAC configuration can be only configure with one specific URL/Location

Ken Stieers · ‎06-01-2023

What the customer really wants isn't possible with what you have.
You could host it on both boxes, and DNS for the PAC file location could point at both boxes, but round robin DNS won't get you to the backup box if the primary is down.
You'd need a load balancer that's doing either true LB, or DNS based where it gives out the DNS of the box that's up, the way global load balancing works.

View solution in original post

Ken Stieers · ‎06-01-2023

If you're running 11.0 or later (and you should be, 14.x is available), you can set up the WSAs in a High Availablity configuration. Its using CARP, so you get a Virtual IP that the WSAs pass back and forth, your PAC file would be the same, hosted on both boxes, and it should be configured to direct traffic to the VIP.
https://medium.com/@abhijitanand/deploy-cisco-web-security-appliance-in-4-steps-3bc1eed14b8e

LY YIHEANG · ‎06-01-2023

Dear Team,

Since we required to have WSA jn different location, it don’t think we can do with HA. So is there any alternative solution? Example DNS,…

Note: we don’t have Load Balancer

Ken Stieers · ‎06-01-2023

I think you can configure the PAC file to do it...

LY YIHEANG · ‎06-01-2023

Yes ken. My question is about location since customer wants to store the pac file on both WSA and we cannot configure 2 PAC location on endpoint device. So what is the best practice to archive this goal ?

Ken Stieers · ‎06-01-2023

What the customer really wants isn't possible with what you have.
You could host it on both boxes, and DNS for the PAC file location could point at both boxes, but round robin DNS won't get you to the backup box if the primary is down.
You'd need a load balancer that's doing either true LB, or DNS based where it gives out the DNS of the box that's up, the way global load balancing works.

amojarra · ‎06-02-2023

Hi @LY YIHEANG

You can host it on Both WSAs.

then create an A record in your DNS server, such as PAC.network.local and put the TTL for that record to 0 ( no cache ) and point it to WSA1.

If WSA1 failed, you can update the DNS record to 2nd WSA's IP address.

Also be advised that, the PAC file also will be cached in the browser. so for the newly logged-in users or expired PAC users you will face issue, in the time duration between changing the A record.

on the other hand if WSA1 is completely down, ( not just some internal services are down), if browser resolves 2 IP for your PAC, it will try the 2nd PAC host.

Last but not least, you can configure Both WSA's IP in the PAC file it self, as a failover, you will face latency when WSA1 is down, since Browser will always try to reach to 1st Proxy IP then 2nd Proxy IP.

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

LY YIHEANG · ‎06-02-2023

Dear @amojarra ,

For updating DNS Record, I need to update manually to WSA1 IP Address?

For PAC Failover, Can we have any way to prevent browser try to reach failed WSA1? or enhance the timeout?

Thank You

amojarra · ‎06-03-2023

Hi @LY YIHEANG

thanks for reaching out

[1] For updating DNS Record, I need to update manually to WSA1 IP Address? Yes, if WSA1 in under maintenance or not responding to Proxy requests or PAC requests, and you want to to redirect your clients to ask for PAC file from WSA2, you need to manually change the IP in your DNS server for that A record.

[2] For PAC Failover, Can we have any way to prevent browser try to reach failed WSA1? or enhance the timeout? Unfortunately, I have to say No, PAC file is not Cisco's product and the Browsers behavior is completely related to the browsers themself. but as far as I recall, they start from the 1st Proxy, unless there are some enhancement in the browsers to remember which Proxy was unresponsive and hold redirecting traffic to them for a while.

[3] what I believe is you have these concerns :

[3-1] How to redirect traffic to 2nd WSA if first WSA failed.

[3-2] How to host the PAC file in a place which if something happens to first WSA, the 2nd one response

if you are planning to have both WSAs in a failover ( Active-Passive) we have failoverconfig in WSA which you can do this, in this case, WSAs will pick a Virtual IP, and the active one response to the Proxy requests, and if Active failed, automatically the 2nd WSA will be in charge of responding to the Proxy requests .

so in this case, you just have one Virtual IP address which you can set in your PAC file.

for more information, please check "Configuring Failover Groups for High Availability" from user guide : User Guide for AsyncOS 14.5 for Cisco Secure Web Appliance - GD (General Deployment)

And if you want to have Active-Active, then you need to customize the DNS records, and do some manual configurations, if one of the WSAs failed.

Mostly using WCCP ( for transparent proxy) or Load balancer is more efficient for Active-Active production.

Hope, that meets your expectation, please feel free to let us know, if there are any questions or concerns,

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++