Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1158
Views
4
Helpful
9
Replies

Cisco WSA Traffic Flow with Load Balancer

Go to solution
Mandeep singh5
Level 1
Level 1

‎09-27-2023 12:01 AM

Hello All,

We've 2 WSA in DC and a Citrix load balancer. Our requirement is to utilize both ISPs from Cisco WSA. So, what will be the traffic flow if we use Citrix Load Balancer for load balancing? We're using a browser-based explicit proxy for all users.

Can anyone explain the traffic flow and interconnection of WSA in terms of file analysis with TG? If we're going to use a load balancer then how the traffic will flow/load-balanced and can able to send the files to On-Prem TG as well for file analysis?

@amojarra @webproxy @wsa

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
amojarra
Cisco Employee
Cisco Employee
In response to Mandeep singh5

‎09-27-2023 12:20 PM

when I point at source IP and Destination IP, I meant not to use port number. 
If you are choosing just source IP, so always traffic from one client will be redirected to one WSA, there wont be any issue in file consistency. 

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++     If you find this answer helpful, please rate it as such   ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

View solution in original post

9 Replies 9

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-27-2023 03:39 AM

Traffic flows should be ( suggest to use WPAD if you looking browser proxy)

users ---LB ---(P1) WSA (P2) - outside to internet ---FW --ISP

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Mandeep singh5
Level 1
Level 1
In response to balaji.bandi

‎09-27-2023 03:48 AM

Hello Balaji,

First of all, we are not going to use PAC file. Instead we simply define proxy server details in browser proxy settings.

Second thing is that I'm clear with the traffic flow which you've sent. My only concern is that we have on-prem TG as well for file analysis. So, In case of Load balancer does it cause any issue if WSA will going to send data from it's P1 interface to TG Clean interface for file analysis.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Mandeep singh5

‎09-27-2023 04:22 AM - edited ‎09-27-2023 04:35 AM

You need make small network diagram how your network connected.

if you point to browser Proxy settings you need to point to VIP IP of LB

TG depends  on where this Located in the network and routing, you going to mentioned the TG in WSA - so WSA  can look to connect for that. (may be you need to look TG deployment guide on premises).

check some deployment guides :

https://www.cisco.com/c/dam/en/us/products/collateral/security/web-security-appliance/guide-c07-740816.pdf

attached some guide i used (but TG in cloud) - instead of F5 we used Citrix LB

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Preview file
3603 KB
0 Helpful

Go to solution
amojarra
Cisco Employee
Cisco Employee

‎09-27-2023 04:24 AM

Hello Balaji

Hope you are doing fine,

from Client side, most probably you are adding the LB's IP address as the proxy server which Balanced the HTTP and HTTPS traffic.

Regarding the TG, WSA will communicate with TG with its interface IP, and some random Port Number, sending the traffic to your TG server ( most probably TCP443)   

So the traffic going out from WSA to TG will not get balanced on the return path, on the other hand, you can have M1 interface to communicate with your TGs.

 

Feel free to let us know if there is any questions or concerns.

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++        If you find this answer helpful, please rate it as such      ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to amojarra

‎09-27-2023 04:37 AM

you can have M1 interface to communicate with your TGs.  - Make sense, should M1 Interface aware of that routing.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Mandeep singh5
Level 1
Level 1
In response to balaji.bandi

‎09-27-2023 04:40 AM

All our M1 interfaces will be in the same subnet. TG Clean interface and WSA P1 interface will be on the same subnet. So, we will make an integration between Clean and P1 interface rather than M1

0 Helpful

Go to solution
amojarra
Cisco Employee
Cisco Employee

‎09-27-2023 04:51 AM

So if they are on a same subnet, the traffic going out from WSA's P1 interface will never hits your LB. 

The only Item you need to consider in your design, is to choose the best algorithm for the LB, lets say with both Source IP and Destination IP, in this case, the traffic of downloading one file will always be in a same WSA, and that WSA will communicate with one of your TGs, 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++        If you find this answer helpful, please rate it as such      ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

Go to solution
Mandeep singh5
Level 1
Level 1
In response to amojarra

‎09-27-2023 05:00 AM

What will happen if we do load balancing on the basis of source IP only, does that create any issue?

0 Helpful

Go to solution
amojarra
Cisco Employee
Cisco Employee
In response to Mandeep singh5

‎09-27-2023 12:20 PM

when I point at source IP and Destination IP, I meant not to use port number. 
If you are choosing just source IP, so always traffic from one client will be redirected to one WSA, there wont be any issue in file consistency. 

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++     If you find this answer helpful, please rate it as such   ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

Customers Also Viewed These Support Documents