Thanks for the reply. Just saw a portion on the PDF guide of WSA that it can be deployed in inline mode. P1 directs to internal network and P2 to internet.

Yep, I just looked at that... and sent in a doc bug asking for that to be cleaned up and clarified.

The latest version doesn't use the word "in-line" but I understand how the inference can be made...

You could use one for the inside net, and one for the DMZ, for example.

Ken

I'm a little new to this, so please bear with me...

So, does the Ironport go inside or outside of the firewall? When inside traffic from the firewall is WCCP redirected to the Ironport, the Ironport inspects them, and if it passes, then it sends it on to the Internet right?

Our network currently has the Ironport connected to the core router. Ironport in/out traffic is through one interface. Traffic goes from the core, to the firewall, redirected to the Ironport (through the core), back through the core, back to the firewall, and then outside. That just doesn't seem very efficient.

I'm thinking the path should be this: core to the firewall, firewall to Ironport (P1), Ironport to firewall (P2), and then out to Internet.

Is this a correct assumption?

Brian,

So, where you put the WSA depends on what you're doing the WCCP on, and how much hair pulling you want to do.

Some gear requires certain configs. (eg, an ASA doing WCCP requires the WSA to be reachable via the port that's doing the WCCP). 

Your understanding of the process is correct. 

Most firewalls don't have the extra ports to do seperate connections from the firewall to the ironport, plus firewalls tend to want rules to move traffic on those ports so it gets to be an admin nightmare...

I didn't put it all on my core router, I put the firewall, the WSA and the internet bound port of the router on one vlan on our core switch...   And while how you stated it seems inefficient, its not that big of a deal...

Ken

Ok, that's how we're currently doing it, since we have a 5540 with only 4 gig interfaces. The WSA data in/out and management traffic is on one interface, connected to the core. The firewall is connected to another port on the core. Both of these ports are switchports on the same vlan. I was just curious about bandwidth utilization being improved by splitting up the data traffic across P1 and P2. Thanks!