Cisco WSA cluster and loadbalance

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-27-2022 06:16 AM
is there a method to bring 3 WSA into a cluster and do loadbalance.
The intention is 5000 to 700 number of user traffic should be equally taken by WSA 9load balance)
If a WSA fails, traffic shd be able to connect to secondary WSA.
- Labels:
-
Web Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-27-2022 06:46 AM
If you're using explicit:
you can do configure the PAC file to know about them all and fail over
use a load balancer
if you're all Windows, use GPOs to configure different configs for different sites, with fail over.
If you're using WCCP, then WCCP can handle that for you. You just add all of the WSAs to the WCCP group and make sure the ACL for which ips to send to the WSAs denies the WSAs themselves (that way WSA1's traffic doesn't get sent to WSA2...). If a WSA goes down, WCCP will see the WSA leave, and will send the traffic to a different one...

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2022 01:27 AM
Thank you @Ken Stieers
faiolver via WCCP has any delay?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2022 05:04 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-28-2022 12:00 AM
Hi @manvik
as @Ken Stieers mentioned its all depends on your network design and how you forward web traffic to WSA
[1] WSA by design has Failover Capability and not the Load balancing feature (which is expected due to traffic forward method)
[2] If you are using GPO to assign Proxy settings to your Clients with .PAC or directly you can redirect some of your traffic to WSA1 and if failed use WSA2, and for the rest of your network redirect the traffic to WSA2 if failed WSA1, but please notice that if you are configuring two WSA's IP / URL in your .PAC file and the 1st failed, your browser still try to connect the 1st Proxy, if no response will try the 2nd one, so you will face some delay there
Failover using the PAC file - Cisco Community
[3] in transparent deployment, you can use weighted configuration and distribute the traffic between your WSAs
[4] lastly is, if you have load balancer, that will do the job for you
Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2022 01:20 AM
Thank you @amojarra
1. Got the point
2. Got the point
3. Any documentation for setting up weighted configuration?
Transparent uses WCCP? if WCCP only HTTPS & socks should reach WSA ?
As I know WSA does not process non standard ports than above
4. Got the point
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2022 01:57 AM
Sorry @manvik
I don't know how I missed your reply
[1] Any documentation for setting up weighted configuration?
there are some guides in the User-guide : User Guide for AsyncOS 11.0 for Cisco Web Security Appliances - Connect, Install, and Configure [Cisco Secure Web Appliance] - Cisco
depends on which device you are using to do the WCCP redirection, you need to check the user guide for that device, such as ASA or ...
[2] Transparent uses WCCP?
Yes
[3] if WCCP only HTTPS & socks should reach WSA ?
WSA supports SOCKs proxy as well, and also supports WCCP version 2 which you can redirect TCP/UDT any port number to WSA
[4] As I know WSA does not process non standard ports than above
yes you can enable SOCKS proxy from GUI > Security Services > Security Services
again sorry for late reply
Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
