This might sound strange, but its an interim setup. I have a pair of 3120 in Multi-instance setup, One instance is transparent FTD to replace 7125 Firepowers in inline mode. I have the first instance set up on the outside interface of the firewall (ASA). One interface to the public vlan, the other to the outside interface on the ASA.  This works well, passing traffic just fine, blocking what it should, and inspecting malware and URL. The problem comes into play when I try to plug an inline pair in between the inside interface and out internal network. Tunnels to the WSA which is doing WCCP Wewb-Cache and 70 are failing. No one can get to the internet unless they are bound to the proxy via the browser settings.  To apparently WCCP is being blocked, but not logged.

I removed the second inline pair and plan to create a second instance for inside IPS, Malware, URL etc. since we have outside vendors that FTP to an internal server on a DMZ.  Better to be safe than sorry and it keeps an eye on whats going on internally.

How do I set up the policy to allow the WCCP tunnels between the ASA and the Ironport to work? This apparently is where it is failing, between the ASA and WSA.  Traffic from an end user hits the firewall, port 443 redirects to WCCP to the Ironport, which authenticates the user, and then proxies via the ASA to the client.  For anything to reach the ASA from the inside it must go through the FTD which is in transparent IPS mode.  Do I need to set something up to ignore the FTD from doing anything with the connection between the ASA and the WSA? 

I have a TAC case opened, and he tried to create a Flex Config, but wound up causing a stuck configuration that he now needs to get cleaned up.  I removed the second inline pair and any connections it had.