06-18-2015 02:09 AM
Hi
I have to configure cluster with two Ironport S680 and S670.
They have diferent name DNS and IP address. Interfaces name are this same.
AsyncOS is the same on both cisco ironport 8.0.8.
I finded the instruction how configrure claster (CLI) but i don't have command "clusterconfig" on both ironport.
I don't know why :(
---------------------
If I configure cluster that is mean, when one ironport lost the connection the second ironport take the all network traffic?
Thank!!!
06-18-2015 02:27 AM
Web Security Appliance doesn't support clustering.
Only ESA supports clustering.
You can use Security Management Appliance for central management, logging...: http://www.cisco.com/c/en/us/products/security/content-security-management-appliance/index.html
If you need HA, please read my post at https://supportforums.cisco.com/discussion/12536321/wsa-etherchannel
Hope this helps..
06-18-2015 02:44 AM
Does mean when I have S serier I need the SMA for central management?
This is my first time with ironport and my experience is poor :/
I want create something like backup...that's mean when one ironport loose connection etc. the secon ironport can take the automaticly network traffic. For this solution I need SMA?
06-18-2015 02:55 AM
central management = same, unified security policy - you need SMA
high availability - you have two standalone appliances managed separately; they can work in HA mode so if one appliance fails traffic will redirect to other appliance
you can also design HA environment by using load balancers (Citrix Netscaler for example)
automatic configuration backup: take a look at this post: https://supportforums.cisco.com/discussion/12388821/possibility-auditcompare-configuration-changes-ironport
06-18-2015 03:03 AM
Thank you.
I will try with F5 load balancer.
I found this information about configure proxy. I can try use WCCP or a Proxy Auto Config file (.pac file).How do you think it is good idea?
06-18-2015 03:12 AM
wccp-transparent redirection; you don't need F5 if you want to achieve HA solution
proxy pac-explicit forwarding of http(s) traffic; with newer versions you can configure two appliances to use shared IP to achieve HA (active/passive); simmilar as VRRP works; you don't need F5 also
all design options are explained in user guide:
http://www.cisco.com/c/en/us/support/security/web-security-appliance/products-user-guide-list.html
06-18-2015 04:12 AM
Thank for your help :)
06-24-2015 12:24 AM
Hi
Look I found something about HA WSA:
https://supportforums.cisco.com/video/12358461/steps-configure-vrrp-virtual-router-redundancy-protocol-web-security-appliance
What do you think about this solution?
06-25-2015 08:10 AM
This is only applicable if you're using explicit proxy (eg setting proxy config in the browsers). If you're using transparent redirection (WCCP or Layer 4 routing), this doesn't apply.
06-29-2015 12:17 AM
I am using explict proxy (wpad, and automaticly find proxy in the browsers).
I have other question. How is working update for AsyncOS?
Now i have 8.0.8 but it's not new OS version. Why I don't see new update?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide