Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1405
Views
0
Helpful
2
Replies

High Availability

Kelvin Willacey
Level 4
Level 4

‎12-03-2010 12:43 PM

Hi does anyone know if their is currently any high availability solution for the WSA? That is I can deploy two devices and when one fails the other takes over, thanks.

Labels:
0 Helpful
2 Replies 2

mark.dorsey
Level 1
Level 1

‎12-03-2010 04:42 PM

The IronPort does not offer the same "Failover" that is built into the BlueCoat product (if you are familiar with that one), so a couple of options could be to either use a load balancer or a PAC file to perform that function.  I currently use a PAC file with a Return statement of: " PROXY x.x.x.x:8080; PROXY x.x.x.x:8080"; " in order to accomplish a poor man's fail-over.  It is not a great solution in that the users’ browser has to time-out in order to utilize the second proxy and as well there are some caching issues... once that time-out occurs the browser must be restarted in order to utilize and or attempt to utilize the first proxy again.  There are some custom options for setting IE to not cache in that manner... if you want to tinker under the hood at the registry level.  In addition - for systems that can't utilize a PAC file I have a DNS record that round-robins the two proxy ip's...  but this has its own caveats as well.  Hope that helps!

0 Helpful

ana.peric
Level 1
Level 1

‎12-30-2010 08:27 AM

Hi All,

Actually here is how you could achieve high availability if you use WSA boxes as transparent proxies:

1. Using WCCP as transparent redirection method - If you have Cisco (or WCCP enabled) router you could deploy 2 WSA's in different WCCP clusters (service groups), and make active-passive WSA design.

WSA-1 -------

                    wccp router  --fa0/0------- clients

WSA-2 -------

Take a look at small diagram above.

If we suppose you clients traffic is flowing to wccp router's interface fa0/0, and WSA-s are logically connected to router as decribed:

1. configure ip wccp gorup X and Y on router.

ip wccp v2

ip wccp redirect-list

ip wccp redirect-list

!

ip access-list e

deny something you do not want to send to WSA's

permit tcp any eq www

permit tcp any eq 443

2. configure WCCP  group X (primary group) on WSA-1, with router ID that equals to some wccp loopback on wccp router  (loopback is the best option bicause it is always reachable)

3. configure WCCP  group Y (secondary WCCP service group) on WSA-2, with router ID that equals to some wccp loopback on router

4. The key point is configuration of WCCP redirection on router's interface:

int fa0/0

ip wccp redirect in

ip wccp redirect in

!
So what happens here: as long as the wccp service group with higher WCCP priority has WCCP Cach engines active, traffic will be redirected to primary WSA-1.
If WSA-1 is not reachable (and thus primary wccp group has no WCCP cache engines active), users traffic will be redirected to WSA-2 cache engine that belongs to WCCP secondary group with lower WCCP priority.
If you want whole router config, I could send you...
2. Method -Transparent redirection with PBR
Use policy based routing...
Set ip next-hot primaryIP and after that ip next-hop secondaryIP...
I
I hope I helped you...
If I was not clear (and this is most likely, since I'm working 12h now ), please tell me, I'll try to be more "understandable" .
Cheers,
Ana

0 Helpful
Customers Also Viewed These Support Documents