Re: Cisco WSA cluster and loadbalance

manvik · ‎10-27-2022

is there a method to bring 3 WSA into a cluster and do loadbalance.

The intention is 5000 to 700 number of user traffic should be equally taken by WSA 9load balance)

If a WSA fails, traffic shd be able to connect to secondary WSA.

Ken Stieers · ‎10-27-2022

Load balancing for WSAs is all in how you get the traffic to them.
If you're using explicit:
you can do configure the PAC file to know about them all and fail over
use a load balancer
if you're all Windows, use GPOs to configure different configs for different sites, with fail over.
If you're using WCCP, then WCCP can handle that for you. You just add all of the WSAs to the WCCP group and make sure the ACL for which ips to send to the WSAs denies the WSAs themselves (that way WSA1's traffic doesn't get sent to WSA2...). If a WSA goes down, WCCP will see the WSA leave, and will send the traffic to a different one...

manvik · ‎10-29-2022

Thank you @Ken Stieers

faiolver via WCCP has any delay?

Ken Stieers · ‎10-29-2022

Not that I've noticed.

amojarra · ‎10-28-2022

Hi @manvik

as @Ken Stieers mentioned its all depends on your network design and how you forward web traffic to WSA

[1] WSA by design has Failover Capability and not the Load balancing feature (which is expected due to traffic forward method)

[2] If you are using GPO to assign Proxy settings to your Clients with .PAC or directly you can redirect some of your traffic to WSA1 and if failed use WSA2, and for the rest of your network redirect the traffic to WSA2 if failed WSA1, but please notice that if you are configuring two WSA's IP / URL in your .PAC file and the 1st failed, your browser still try to connect the 1st Proxy, if no response will try the 2nd one, so you will face some delay there

Failover using the PAC file - Cisco Community

[3] in transparent deployment, you can use weighted configuration and distribute the traffic between your WSAs

[4] lastly is, if you have load balancer, that will do the job for you

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

manvik · ‎10-29-2022

Thank you @amojarra

1. Got the point
2. Got the point
3. Any documentation for setting up weighted configuration?
Transparent uses WCCP? if WCCP only HTTPS & socks should reach WSA ?
As I know WSA does not process non standard ports than above
4. Got the point

amojarra · ‎11-18-2022

Sorry @manvik

I don't know how I missed your reply

[1] Any documentation for setting up weighted configuration?

there are some guides in the User-guide : User Guide for AsyncOS 11.0 for Cisco Web Security Appliances - Connect, Install, and Configure [Cisco Secure Web Appliance] - Cisco

depends on which device you are using to do the WCCP redirection, you need to check the user guide for that device, such as ASA or ...

[2] Transparent uses WCCP?

Yes

[3] if WCCP only HTTPS & socks should reach WSA ?

WSA supports SOCKs proxy as well, and also supports WCCP version 2 which you can redirect TCP/UDT any port number to WSA

[4] As I know WSA does not process non standard ports than above

yes you can enable SOCKS proxy from GUI > Security Services > Security Services

User Guide for AsyncOS 14.5 for Cisco Secure Web Appliance - GD (General Deployment) - Intercepting Web Requests [Cisco Secure Web Appliance] - Cisco

again sorry for late reply

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++