Re: configure 2 Ironport web security boxes in HA mode

shwetaprakash · ‎10-03-2011

Hi ALL,

i want to ask something about ironport web security that how can i connect 2 boxes for HA.if top of that i have already 2 core switches in HSRP .

Regards

Prakash

Ken Stieers · ‎10-03-2011

Prakash,

HA for WSA boxes is a function of how you get the traffic to them. If you're using explicit proxy, you can configure the PAC file for failover, or use DNS to resolve the proxy and let the DNS determine where to send it (DNS LB). You could also use a web load balancer...

If you're using WCCP, you could run that on the HRSP router or set it on your firewall(s). If its on the router, you need to subscribe both WSA's to both routers, and make sure the access lists for the WCCP directed at one WSA don't process traffic from the other WSA. (search the forum...)

shwetaprakash · ‎10-03-2011

Hi ken,

Thanks for your reply. actually i want to configure this with HA .probably i can better explain to you with network diagram. please have a look with attached file and suggest that how can i go further.

Regards

Prakash

Ken Stieers · ‎10-03-2011

Prakash,

If you're wondering if there's a way to connect the two WSA boxes together, there isn't... they don't talk to one another at all. There's no passing of an IP between them, there's no "cluster" or "HRSP" facility, no "primary/secondary" relationship, no "copy my config from box 1"... none of that. (you CAN push a config from an SMA box, but that's a different thing...)

You implement HA for WSA via the traffic redirection mechanism...

Ken