Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2875
Views
0
Helpful
7
Replies

LOAD BALANCE PROXY TRAFFIC ON WSA VIA EXTERNAL LOAD BALANCER

Go to solution
Sekou DIOMANDE
Level 1
Level 1

‎06-12-2019 01:43 AM

Hello everyone,
We have purchased three WSAs for the proxification of internet traffic.
In our infrastructure, we also have load balancers for distribution of traffic on our servers.
In order to be able to use the most of the capacity of our new WSA, we would like to do the load distribution on the three via the loadbalancer.


That is possible ?? what disposition should we take to achieve this?

Thank you in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sekou DIOMANDE
Level 1
Level 1
In response to Handy Putra

‎06-14-2019 04:14 AM

Hi Handy,

"If you want more granular control and more options on how you do load balancing to mutliple WSAs, recommend to use a load balancing device such as F5, etc."

That's exactly what I plan to do and I conclude that this is indeed possible.

Thank you all for your help.

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Ken Stieers
VIP
VIP

‎06-12-2019 06:01 AM

What sort of redirection of traffic are you going to use? Transparent (WCCP) or Explicit.

And if explicit arr you going to use a PAC file?



0 Helpful

Go to solution
Sekou DIOMANDE
Level 1
Level 1
In response to Ken Stieers

‎06-12-2019 07:18 AM - edited ‎06-12-2019 07:22 AM

Hi Ken

I'm going to use explict proxy with PAC.

However, if you have a different approach, I'll be glad you share it with me.

 

Thank's

 

0 Helpful

Go to solution
Sekou DIOMANDE
Level 1
Level 1
In response to Sekou DIOMANDE

‎06-13-2019 02:47 AM

Hi All,
Help please.
0 Helpful

Go to solution
Handy Putra
Cisco Employee
Cisco Employee
In response to Sekou DIOMANDE

‎06-13-2019 04:02 PM

Hi, if you are using PAC file as explicit, PAC can do some sort of load balancing as well (eventhough not granular and limited).

 

You can search from the net on how to do load balancing using PAC file.

 

Some example on this:

When using PAC file, the load balancing becomes easier if the network is distinctly divided into subnets. If the network is divided in to subnets then all the odd subnets can be set to go through the first proxy and all the odd subnets to go through the second proxy. The following is an example PAC file that allows load balancing based on source subnet.
Load Balance Based on Source Address:
function FindProxyForURL(url, host)
{
if (isInNet(myIpAddress(), "1.1.1.1", "255.255.255.0") || isInNet(host, "3.3.3.3", "255.255.255.0"))
{
return "PROXY proxy1:80;PROXY proxy2:80;DIRECT”;
}
else if(isInNet(myIpAddress(), "2.2.2.2", "255.255.255.0") || isInNet(host, "4.4.4.4", "255.255.255.0"))
{
return "PROXY proxy2:80;PROXY proxy1:80;DIRECT”;
}
else
{
return “DIRECT”;
}
}
Load Balance Based on Destination Address:
function FindProxyForURL(url, host)
{
if (isInNet(host, "1.1.1.1", "255.255.255.0") || isInNet(host, "3.3.3.3", "255.255.255.0"))
{
return "PROXY proxy1:80;PROXY proxy2:80;DIRECT”;
}
else if(isInNet(host, "2.2.2.2", "255.255.255.0") || isInNet(host, "4.4.4.4", "255.255.255.0"))
{
return "PROXY proxy2:80;PROXY proxy1:80;DIRECT”;
}
else
{
return “DIRECT”;
}
}

 

Also, we do have article for some example PAC scripting that you can use and at the bottom of the article we do have other example for load balancing using PAC file with a simple Math function:

 

https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118076-configure-wsa-00.html

 

Using WCCP will also do load balancing, WCCP (Web Cache Communication Protocol) is the other option for load balancing with multiple WSAs. When setting up the WCCP on the WSA it gives the end user the options to load balance based on the source IP address or the destination IP address. For more information on this please refer to the user guide.
Apart from this, Access Lists can also be configured on the WCCP device to load balance based on the source IP address or the destination IP address.

 

If you want more granular control and more options on how you do load balancing to mutliple WSAs, recommend to use a load balancing device such as F5, etc.

 

Note: The HA (High Availability) option in WSA is not a load balancing method and not intended for load balancing since this is intended for failover of active-standby and not sharing the traffic load at the same time.

 

Hope this helps.

Handy Putra

0 Helpful

Go to solution
Sekou DIOMANDE
Level 1
Level 1
In response to Handy Putra

‎06-14-2019 04:14 AM

Hi Handy,

"If you want more granular control and more options on how you do load balancing to mutliple WSAs, recommend to use a load balancing device such as F5, etc."

That's exactly what I plan to do and I conclude that this is indeed possible.

Thank you all for your help.

 

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to Sekou DIOMANDE

‎06-13-2019 04:19 PM

The others have answered this with more detail than I would have. I will say that I prefer transparent redirection with WCCP...


0 Helpful

Go to solution
sadik.sener1
Level 1
Level 1

‎06-13-2019 07:19 AM

Hi Sekou,

 

I would recommend using the  native High Availability option in WSA. 

If you don't you would need some tricks to get Kerberos working. 

It will always work with NTLM authentication, using load balancer or WSA native High Availability feature.

 

For a load balancer mechanism to work, you also would need your LB to be the default gateway of your proxies. (Otherwise you would need source address translation on LB, which ends up seeing a single client ip address on WSA)

 

Are you going to create policies according to domain groups?

Sadik

0 Helpful
Customers Also Viewed These Support Documents