We are already enabled but our S170 is dog slow when doing anything in the management gui, and even slow to respond in an SSH session.
We have about 160 employees, perhaps 250 machines including servers. We have two 200/200 mbps internet connections into Ecessa PL-600 load balancers. Is our S170 slow because we are just overkill for this thing? I was thinking of converting it to a virtual appliance, but then we lose Layer 4 monitoring, but that may be a moot point because we have a third party IDS/IPS that is very good at catching that kind of thing.
|Description||Status||Time Remaining||Expiration Date|
|Cisco L4 Traffic Monitor||Active||Perpetual||N/A|
|Cisco HTTPS Proxy||Active||Perpetual||N/A|
|File Reputation||Active||296 days||Sat Feb 3 05:25:24 2018|
|Cisco Web Usage Controls||Active||297 days||Sun Feb 4 04:29:32 2018|
|Sophos||Active||297 days||Sun Feb 4 04:29:27 2018|
|File Analysis||Active||296 days||Sat Feb 3 05:25:23 2018|
|Webroot||Active||297 days||Sun Feb 4 04:29:18 2018|
|Cisco Web Proxy & DVS Engine||Active||Perpetual||N/A|
|Cisco AnyConnect Secure Mobility||Active||Perpetual||N/A|
|Cisco Web Reputation Filters||Active||297 days||Sun Feb 4 04:29:42 2018|
My S100v definitely performs better than my S170, I've got about 400 users, and 150 servers.... 2 100meg pipes to the internet.
I'm looking at going to a S300V because my logging drive gets full...
You can make L4TM work on VMware but its not worth the effort, especially so with an IPS in place.
I need to start researching how to migrate to the virtual appliance. So you have both, a virtual and an S170? How does that work? Do you only break out the S170 if there is an issue with the virtual?
Right now Cisco ASA 5525X use WCCP and transparent web proxy to our one and only S170. If the S170 fails or gets a software upgrade, the internet continues to work, although unfiltered. I have yet to test if you can put multiple WCCP addresses in the ASA firewall and how the firewall would behave. Would it do a load balancing? How? Round robin? Would it just utilize the first entry unless it becomes unreachable?
Where can I read more about this?
We actually live totally on the virtual box, and I use the hardware for testing.
The way WCCP works is that the proxy "subscribes" to the data... if its not there, the router/fw just passes it through... if there are two, it sees that the one isn't participating and just sends it all to the other one.
It will load balance the requests, how it does so is based on your config in the WSA. Google "WCCP load balancing"
The one other tweak is the acl you set up on the firewall has to be set to deny for the both/all of the WSAs otherwise your traffic could end up hitting both...