cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
210
Views
0
Helpful
7
Replies
Highlighted
Beginner

LOAD BALANCE PROXY TRAFFIC ON WSA VIA EXTERNAL LOAD BALANCER

Hello everyone,
We have purchased three WSAs for the proxification of internet traffic.
In our infrastructure, we also have load balancers for distribution of traffic on our servers.
In order to be able to use the most of the capacity of our new WSA, we would like to do the load distribution on the three via the loadbalancer.


That is possible ?? what disposition should we take to achieve this?

Thank you in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: LOAD BALANCE PROXY TRAFFIC ON WSA VIA EXTERNAL LOAD BALANCER

Hi Handy,

"If you want more granular control and more options on how you do load balancing to mutliple WSAs, recommend to use a load balancing device such as F5, etc."

That's exactly what I plan to do and I conclude that this is indeed possible.

Thank you all for your help.

 

7 REPLIES 7
Collaborator

Re: LOAD BALANCE PROXY TRAFFIC ON WSA VIA EXTERNAL LOAD BALANCER

What sort of redirection of traffic are you going to use? Transparent (WCCP) or Explicit.

And if explicit arr you going to use a PAC file?



Beginner

Re: LOAD BALANCE PROXY TRAFFIC ON WSA VIA EXTERNAL LOAD BALANCER

Hi Ken

I'm going to use explict proxy with PAC.

However, if you have a different approach, I'll be glad you share it with me.

 

Thank's

 

Beginner

Re: LOAD BALANCE PROXY TRAFFIC ON WSA VIA EXTERNAL LOAD BALANCER

Hi All,
Help please.
Cisco Employee

Re: LOAD BALANCE PROXY TRAFFIC ON WSA VIA EXTERNAL LOAD BALANCER

Hi, if you are using PAC file as explicit, PAC can do some sort of load balancing as well (eventhough not granular and limited).

 

You can search from the net on how to do load balancing using PAC file.

 

Some example on this:

When using PAC file, the load balancing becomes easier if the network is distinctly divided into subnets. If the network is divided in to subnets then all the odd subnets can be set to go through the first proxy and all the odd subnets to go through the second proxy. The following is an example PAC file that allows load balancing based on source subnet.
Load Balance Based on Source Address:
function FindProxyForURL(url, host)
{
if (isInNet(myIpAddress(), "1.1.1.1", "255.255.255.0") || isInNet(host, "3.3.3.3", "255.255.255.0"))
{
return "PROXY proxy1:80;PROXY proxy2:80;DIRECT”;
}
else if(isInNet(myIpAddress(), "2.2.2.2", "255.255.255.0") || isInNet(host, "4.4.4.4", "255.255.255.0"))
{
return "PROXY proxy2:80;PROXY proxy1:80;DIRECT”;
}
else
{
return “DIRECT”;
}
}
Load Balance Based on Destination Address:
function FindProxyForURL(url, host)
{
if (isInNet(host, "1.1.1.1", "255.255.255.0") || isInNet(host, "3.3.3.3", "255.255.255.0"))
{
return "PROXY proxy1:80;PROXY proxy2:80;DIRECT”;
}
else if(isInNet(host, "2.2.2.2", "255.255.255.0") || isInNet(host, "4.4.4.4", "255.255.255.0"))
{
return "PROXY proxy2:80;PROXY proxy1:80;DIRECT”;
}
else
{
return “DIRECT”;
}
}

 

Also, we do have article for some example PAC scripting that you can use and at the bottom of the article we do have other example for load balancing using PAC file with a simple Math function:

 

https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118076-configure-wsa-00.html

 

Using WCCP will also do load balancing, WCCP (Web Cache Communication Protocol) is the other option for load balancing with multiple WSAs. When setting up the WCCP on the WSA it gives the end user the options to load balance based on the source IP address or the destination IP address. For more information on this please refer to the user guide.
Apart from this, Access Lists can also be configured on the WCCP device to load balance based on the source IP address or the destination IP address.

 

If you want more granular control and more options on how you do load balancing to mutliple WSAs, recommend to use a load balancing device such as F5, etc.

 

Note: The HA (High Availability) option in WSA is not a load balancing method and not intended for load balancing since this is intended for failover of active-standby and not sharing the traffic load at the same time.

 

Hope this helps.

Handy Putra

Beginner

Re: LOAD BALANCE PROXY TRAFFIC ON WSA VIA EXTERNAL LOAD BALANCER

Hi Handy,

"If you want more granular control and more options on how you do load balancing to mutliple WSAs, recommend to use a load balancing device such as F5, etc."

That's exactly what I plan to do and I conclude that this is indeed possible.

Thank you all for your help.

 

Collaborator

Re: LOAD BALANCE PROXY TRAFFIC ON WSA VIA EXTERNAL LOAD BALANCER

The others have answered this with more detail than I would have. I will say that I prefer transparent redirection with WCCP...


Beginner

Re: LOAD BALANCE PROXY TRAFFIC ON WSA VIA EXTERNAL LOAD BALANCER

Hi Sekou,

 

I would recommend using the  native High Availability option in WSA. 

If you don't you would need some tricks to get Kerberos working. 

It will always work with NTLM authentication, using load balancer or WSA native High Availability feature.

 

For a load balancer mechanism to work, you also would need your LB to be the default gateway of your proxies. (Otherwise you would need source address translation on LB, which ends up seeing a single client ip address on WSA)

 

Are you going to create policies according to domain groups?

Sadik