cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

6663
Views
5
Helpful
10
Replies
Highlighted
Beginner

Cisco Web Security Appliance Licensing for High Availability

Hi,

I would like to deploy Cisco S170 Web Security Applicance in HA mode.

My question is; What license are avaiable to ensure two appliances work in HA mode?

We have purchased the following licenses and not sure if HA will work;

2 x WSA-S170-K9 WSA S170 Web Security Appliance with Software

250 x WSA-WSP-5Y-S2 Web Premium SW Bundle (WREP+WUC+AMAL) 5YR, 200-499 Users

There are 250 users in our network.

1 ACCEPTED SOLUTION

Accepted Solutions
Collaborator

Cisco Web Security Appliance Licensing for High Availability

I'm not an expert on the licensing end, but as far as I know, there isn't a seperate license for HA of the WSA.  From a technical standpoint,  HA for the WSA is handled by how you get the traffic to the boxes.   The WSA's don't know about one another, they don't get "clustered" like the ESA's... 

10 REPLIES 10
Collaborator

Cisco Web Security Appliance Licensing for High Availability

I'm not an expert on the licensing end, but as far as I know, there isn't a seperate license for HA of the WSA.  From a technical standpoint,  HA for the WSA is handled by how you get the traffic to the boxes.   The WSA's don't know about one another, they don't get "clustered" like the ESA's... 

Beginner

Cisco Web Security Appliance Licensing for High Availability

We've used an ACE or some other type of load balancer for HA.

Beginner

Correct, licensing is per WSA

Correct, licensing is per WSA, with no additional licensing needed for HA as provided by WCCP clustering.
Bookmark it, we can blow it up later.

Cisco Web Security Appliance Licensing for High Availability

HI,

WSA does not have the Clustering Capability. You can however load balance the traffic via WCCP (transparent proxy Deployment) or via PAC files (Explicit Proxy Mode).

Regards,

Kush

Cisco Employee

I have been going through

I have been going through Support community questions and I noticed your question, we have a setup were HA is achieved by using PAC file which is pushed to users.

HTH

Beginner

We use netscalers to do an

We use netscalers to do an LDNS address sort of like  GSLB, which monitors the proxy port, it is sort of a dynamic dns with a low TTL, if the proxy goes down it changes the return address to the alternate ip.. by doing this, we don't have to proxy through the netscaler and use X-FF... 

Beginner

Hello Edward,Please, allow me

Hello Edward,

Please, allow me to resurect this old post. What method of HA did you implement? According to this conversation, I clearly understand that WSA can not perform a cluster, so we need to load balance according to our WCCP configuration on the ASA. 

Now, the question is about licensing. For example, if you did acquire 250 licenses, did you install 125 on WSA-1, and 125 on WSA-2???? Imagine that WSA-1 dies, now you just can use the 125 licenses from WSA-2???

Regards!

Collaborator

When you get the WSAs both

When you get the WSAs both boxes get the feature keys, but user count isn't tracked...

So when one fails, the boxes don't care that they're handling more...  In a VM world you can create and license as many as you need...

 

Beginner

Hi,The licensing portal

Hi,

The licensing portal allows you to generate different licenses for the two appliances both for 250 users. From there, you use WCCP to load share.

Beginner

Re: Hi,The licensing portal

Good day,

I would like to know if there is any document showing the step by step to perform load balancing and HA configuration between a WSA and vWSA through WCCP on a Cisco ASA Firewall.

On the other hand I have the doubt when this type of configuration is done as it is done so that when making some configuration change replicate in the two WSA (physical WSA and virtual vWSA).

Thank you in advance for the collaboration and help you give me.