cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1406
Views
0
Helpful
9
Replies

Clustering S670 and S680 problem.

tomek3b01
Level 1
Level 1

Hi

I have to configure cluster with two Ironport S680 and S670.

They have diferent name DNS and IP address. Interfaces name are this same.

AsyncOS is the same on both cisco ironport 8.0.8.

I finded the instruction how configrure claster (CLI) but i don't have command "clusterconfig" on both ironport.

I don't know why :(

 

---------------------

If I configure cluster that is mean, when one ironport lost the connection the second ironport take the all network traffic?

 

Thank!!!

9 Replies 9

Web Security Appliance doesn't support clustering.

Only ESA supports clustering.

You can use Security Management Appliance for central management, logging...: http://www.cisco.com/c/en/us/products/security/content-security-management-appliance/index.html

If you need HA, please read my post at https://supportforums.cisco.com/discussion/12536321/wsa-etherchannel

Hope this helps..

Does mean when I have S serier I need the SMA for central management?

This is my first time with ironport and my experience is poor :/

I want create something like backup...that's mean when one ironport loose connection etc. the secon ironport can take the automaticly network traffic. For this solution I need SMA?

central management = same, unified security policy - you need SMA

high availability - you have two standalone appliances managed separately; they can work in HA mode so if one appliance fails traffic will redirect to other appliance

you can also design HA environment by using load balancers (Citrix Netscaler for example)

automatic configuration backup: take a look at this post: https://supportforums.cisco.com/discussion/12388821/possibility-auditcompare-configuration-changes-ironport

Thank you.

I will try with F5 load balancer.

I found this information about configure proxy. I can try use WCCP or a Proxy Auto Config file (.pac file).How do you think it is good idea?

wccp-transparent redirection; you don't need F5 if you want to achieve HA solution

proxy pac-explicit forwarding of http(s) traffic; with newer versions you can configure two appliances to use shared IP to achieve HA (active/passive); simmilar as VRRP works; you don't need F5 also

all design options are explained in user guide:

http://www.cisco.com/c/en/us/support/security/web-security-appliance/products-user-guide-list.html

Thank for your help :)

 

Hi

Look I found something about HA WSA:

https://supportforums.cisco.com/video/12358461/steps-configure-vrrp-virtual-router-redundancy-protocol-web-security-appliance

 

What do you think about this solution?

 

This is only applicable if you're using explicit proxy (eg setting proxy config in the browsers).  If you're using transparent redirection (WCCP or Layer 4 routing), this doesn't apply.

I am using explict proxy (wpad, and automaticly find proxy in the browsers).

I have other question. How is working update for AsyncOS?

Now i have 8.0.8 but it's not new OS version. Why I don't see new update?