cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
262
Views
0
Helpful
1
Replies

Cisco WSA Migration from Hardware to virtual

Hi,
We are using Cisco Secure Web Appliance (S690) as proxy servers(2 numbers) for Internet connection. Since the devices reaching EOS, we are planning to migrate it to VM.

Also at present the two appliances are in our DC and DR in standalone mode. After moving to VM, need to configure them in High availablility mode.

can anyone kindly help us out with specific recommendation and documents for above use case

1 Accepted Solution

Accepted Solutions

amojarra
Cisco Employee
Cisco Employee

Hello @rameshkumarnakka 

Hope you are doing well

There are a couple of items that I would like to share with you: 

[1] For migration, there won't be any issue, you can import the configuration from S690 to your S600v, kindly be advised that Network Configuration, Joining the Domain(s), certificates, and licenses should be configured separately. 

[2] Regarding the Virtual WSA, I would say it is best to take a look at these links before starting the deployment:

Ensure Proper Virtual WSA HA Group Functionality in a VMware Environment - Cisco

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa-va-install-guide/virtual-appliance-install-guide.html

 

[3] WSA, has high availability feature, which is Active/Passive. If you are looking for Active/Active (load balance) I would suggest:

Load balancing using WCCP or using a Network Load Balancer. 

on the other hand (if you are using Explicit Deployment) you can have the load balance via PAC file or client's proxy configuration, by pointing some users to WSA-A and having WSA-B and secondary Proxy server and vise versa. 

[4] you can find the steps, limitations and considerations in deploying High Availability in user-guide : User Guide for AsyncOS 15.0 for Cisco Secure Web Appliance - GD(General Deployment) - Connect, Install, and Configure [Cisco Secure Web Appliance] - Cisco

 

[5] In case if you are using Kerberos and planning to use Network Load balancer, kindly review "Creating an Active Directory Realm for Kerberos Authentication Scheme" section of the user-guide:

User Guide for AsyncOS 15.0 for Cisco Secure Web Appliance - GD(General Deployment) - Acquire End-User Credentials [Cisco Secure Web Appliance] - Cisco

 

Please feel free to let us know if there are any questions or concerns.

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++     If you find this answer helpful, please rate it as such    ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

 

 

View solution in original post

1 Reply 1

amojarra
Cisco Employee
Cisco Employee

Hello @rameshkumarnakka 

Hope you are doing well

There are a couple of items that I would like to share with you: 

[1] For migration, there won't be any issue, you can import the configuration from S690 to your S600v, kindly be advised that Network Configuration, Joining the Domain(s), certificates, and licenses should be configured separately. 

[2] Regarding the Virtual WSA, I would say it is best to take a look at these links before starting the deployment:

Ensure Proper Virtual WSA HA Group Functionality in a VMware Environment - Cisco

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa-va-install-guide/virtual-appliance-install-guide.html

 

[3] WSA, has high availability feature, which is Active/Passive. If you are looking for Active/Active (load balance) I would suggest:

Load balancing using WCCP or using a Network Load Balancer. 

on the other hand (if you are using Explicit Deployment) you can have the load balance via PAC file or client's proxy configuration, by pointing some users to WSA-A and having WSA-B and secondary Proxy server and vise versa. 

[4] you can find the steps, limitations and considerations in deploying High Availability in user-guide : User Guide for AsyncOS 15.0 for Cisco Secure Web Appliance - GD(General Deployment) - Connect, Install, and Configure [Cisco Secure Web Appliance] - Cisco

 

[5] In case if you are using Kerberos and planning to use Network Load balancer, kindly review "Creating an Active Directory Realm for Kerberos Authentication Scheme" section of the user-guide:

User Guide for AsyncOS 15.0 for Cisco Secure Web Appliance - GD(General Deployment) - Acquire End-User Credentials [Cisco Secure Web Appliance] - Cisco

 

Please feel free to let us know if there are any questions or concerns.

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++     If you find this answer helpful, please rate it as such    ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++