Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3235
Views
0
Helpful
6
Replies

IronPort design and load balance

Go to solution
Carlos Morais
Level 1
Level 1

‎06-28-2012 09:39 AM

I'm about to start a new project involving IronPort Web Security appliances. I have two S370 appliances and a couple of doubts regarding architecture and load balancing and I would like your help to clarify them. I'm sending a visio file (and also a jpeg image, just in case) attached with the current architecture and the desired position for the S370 appliances.

90% of the users will work with explicit proxy, but there are a few machines the aren't proxy aware, so it will be necessary to use also transparent proxy for this cases (http, https and ftp).

And my doubts are:

- Can I use WCCP redirection ingress in the VLAN X on the 6500 in order to get transparent proxy to work or are there any limitations?

- What is the best way to load balance the two proxies? Is it better to use WCCP or PAC file? I can also put the S370 appliances behind the CSM and redirect the traffic to proxies' virtual IP...

Thanks for your help.

Best regards,

Carlos

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎06-28-2012 10:25 AM

Hey Carlos,

Yes, I believe you can put it on the ingress on VLAN X, but do you want to?  Is the pipe between the 6500 and the ASA a seperate VLAN? and wouldn't you rather put it there?  or on Egress from the 6500?  I'd put the WCCP as close to the internet exit as possible, so that the traffic that isn't bound for the internet doesn't get fed to the WSAs... 

As far as load balancing goes, you'll have to do both WCCP and PAC file, since you have users that are both transparent (WCCP) and using proxy config...

I'm not sure how happy WCCP is going through the CSM, and that's just one complication that I'd skip completely if you can... 

Ken

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Ken Stieers
VIP
VIP

‎06-28-2012 10:25 AM

Hey Carlos,

Yes, I believe you can put it on the ingress on VLAN X, but do you want to?  Is the pipe between the 6500 and the ASA a seperate VLAN? and wouldn't you rather put it there?  or on Egress from the 6500?  I'd put the WCCP as close to the internet exit as possible, so that the traffic that isn't bound for the internet doesn't get fed to the WSAs... 

As far as load balancing goes, you'll have to do both WCCP and PAC file, since you have users that are both transparent (WCCP) and using proxy config...

I'm not sure how happy WCCP is going through the CSM, and that's just one complication that I'd skip completely if you can... 

Ken

0 Helpful

Go to solution
Carlos Morais
Level 1
Level 1
In response to Ken Stieers

‎07-10-2012 07:53 AM

Hi, Ken.

Thanks for your answer and sorry for taking so long to  get back to you. I'll take your guidelines into consideration... but I  just have one additional doubt:

"The only  topology that the ASA supports is when  client and cache engine are  behind the same interface of the ASA and the  cache engine can directly  communicate with the client, without going  through the ASA."

(http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_wccp.html#wp1135991)

So, assuming that I'm going to apply WCCP Redirect in the  ASA, I'm still going to have a problem because although clients and IronPort  appliances will be behind interface "Inside" of the ASA, they will be  placed in different  VLANs/subinterfaces, right?

Thank you,

Best regards,

Carlos Morais

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to Carlos Morais

‎07-10-2012 08:00 AM

No, you'll be fine... the section that you quoted is the salient point...  You can subnet/route/etc behind the ASA, you just can't have the traffic between the client and the WSA have to go THROUGH the ASA (eg, no putting the WSA on the DMZ interface, and clients on the inside interface...)

Ken

0 Helpful

Go to solution
Carlos Morais
Level 1
Level 1
In response to Ken Stieers

‎07-10-2012 08:06 AM

Ok, thanks!

But (because I dind't explain myself very well - the question was not related with the diagram above), even if the ASA is responsible for routing traffic between client's subinterface and IronPort's subinterface (both behind "Inside" interface) I won't have any problem regarding WCCP redirection, right?

Best regards,

Carlos Morais

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to Carlos Morais

‎07-10-2012 08:09 AM

You mean that you're using the ASA as a router for the 2 vlans?  You may have issues with that... at that point, the traffic between the VLANs is going "through the ASA" and it may not work...

0 Helpful

Go to solution
Carlos Morais
Level 1
Level 1
In response to Ken Stieers

‎07-10-2012 08:22 AM

Exactly, that was what I was afraid of. I'm not using ASA for routing traffic between (client and IronPort appliance) VLANs now, but I may use in the future and I just wanted to clarify this.

Thanks for your help!

Best regards,

Carlos Morais

0 Helpful
Customers Also Viewed These Support Documents