cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
8064
Views
5
Helpful
10
Replies
edwardwaithaka
Beginner

Cisco Web Security Appliance Licensing for High Availability

Hi,

I would like to deploy Cisco S170 Web Security Applicance in HA mode.

My question is; What license are avaiable to ensure two appliances work in HA mode?

We have purchased the following licenses and not sure if HA will work;

2 x WSA-S170-K9 WSA S170 Web Security Appliance with Software

250 x WSA-WSP-5Y-S2 Web Premium SW Bundle (WREP+WUC+AMAL) 5YR, 200-499 Users

There are 250 users in our network.

1 ACCEPTED SOLUTION

Accepted Solutions
Ken Stieers
Engager

I'm not an expert on the licensing end, but as far as I know, there isn't a seperate license for HA of the WSA.  From a technical standpoint,  HA for the WSA is handled by how you get the traffic to the boxes.   The WSA's don't know about one another, they don't get "clustered" like the ESA's... 

View solution in original post

10 REPLIES 10
Ken Stieers
Engager

I'm not an expert on the licensing end, but as far as I know, there isn't a seperate license for HA of the WSA.  From a technical standpoint,  HA for the WSA is handled by how you get the traffic to the boxes.   The WSA's don't know about one another, they don't get "clustered" like the ESA's... 

View solution in original post

We've used an ACE or some other type of load balancer for HA.

Correct, licensing is per WSA, with no additional licensing needed for HA as provided by WCCP clustering.
Bookmark it, we can blow it up later.
Kush Srivastava
Beginner

HI,

WSA does not have the Clustering Capability. You can however load balance the traffic via WCCP (transparent proxy Deployment) or via PAC files (Explicit Proxy Mode).

Regards,

Kush

amatahen
Cisco Employee

I have been going through Support community questions and I noticed your question, we have a setup were HA is achieved by using PAC file which is pushed to users.

HTH

VeNoMouSNZ
Beginner

We use netscalers to do an LDNS address sort of like  GSLB, which monitors the proxy port, it is sort of a dynamic dns with a low TTL, if the proxy goes down it changes the return address to the alternate ip.. by doing this, we don't have to proxy through the netscaler and use X-FF... 

alexdelangel
Beginner

Hello Edward,

Please, allow me to resurect this old post. What method of HA did you implement? According to this conversation, I clearly understand that WSA can not perform a cluster, so we need to load balance according to our WCCP configuration on the ASA. 

Now, the question is about licensing. For example, if you did acquire 250 licenses, did you install 125 on WSA-1, and 125 on WSA-2???? Imagine that WSA-1 dies, now you just can use the 125 licenses from WSA-2???

Regards!

When you get the WSAs both boxes get the feature keys, but user count isn't tracked...

So when one fails, the boxes don't care that they're handling more...  In a VM world you can create and license as many as you need...

 

Hi,

The licensing portal allows you to generate different licenses for the two appliances both for 250 users. From there, you use WCCP to load share.

Good day,

I would like to know if there is any document showing the step by step to perform load balancing and HA configuration between a WSA and vWSA through WCCP on a Cisco ASA Firewall.

On the other hand I have the doubt when this type of configuration is done as it is done so that when making some configuration change replicate in the two WSA (physical WSA and virtual vWSA).

Thank you in advance for the collaboration and help you give me.

Content for Community-Ad