Route to WSA based on destination

Ahmed Hassabo · ‎02-27-2014

Dear

I need to purchase two Iron port box one for ADSL line and second for Leased Line

My aim Is when user open busineed site is go through Leased line and when open Un Business Site is go to ADSL

I need soultion to achive this ?

and i can predfine the Business and un business Site ?

Michael Hautekeete · ‎02-27-2014

Hello,

Unfortunately the WSA cannot control which requests get sent to it, it simply listens for traffic coming to its interface on specific ports (80, 3128, 21, 443). When it comes to specific URLs being routed to one WSA or another it will require that you have a device that can inspect the traffic at Layer 4 (HTTP/HTTPS/FTP) and make a routing decision based on the URI in the HTTP header.

You could add a 3rd WSA to route the traffic using an upstream proxy configuration. You would use proxy groups and routing policies to match Custom URL categories or predefined URL categories to send to one of the two upstream proxies.

Other than adding an additional device to route the traffic, you could look into Policy based routing or using multiple WCCP services (one for each WSA) and creating an ACL to match the business sites IP addresses vs the non-business sites. This could become an issue as most websites use dynamic IP schemes.

Hope this helps.

Best Regards,

Michael Hautekeete

Customer Support Engineer

Cisco Content Security - Web Security Appliance

http://www.cisco.com/en/US/products/ps11169/serv_group_home.html

https://supportforums.cisco.com/community/netpro/security/web

https://supportforums.cisco.com/community/feeds?community=2091

Michael Hautekeete · ‎02-27-2014

One other method i wanted to mention was the use of a PAC or WPAD file. These types of files would allow you to configure statements to match domains and send to a specific WSA. The WSA also has the ability to host these files if you do not have better method of hosting them (i.e. DNS).

Best Regards,

Michael Hautekeete

Customer Support Engineer

Cisco Content Security - Web Security Appliance

http://www.cisco.com/en/US/products/ps11169/serv_group_home.html

https://supportforums.cisco.com/community/netpro/security/web

https://supportforums.cisco.com/community/feeds?community=2091

Ahmed Hassabo · ‎02-27-2014

Dear

you mean i 1st point that can i purchase 3 WSA and Make one as Priamry and the 2econd and 3rd as upstream Proxy

and I can Route based in URL catagroy as exmaple the Busines Catagory routed through 2econd WSA and the non business Catagory Routed via 3rd WSA and in this case the User will take the Primary Proxy in Internet browser seeting ?

Michael Hautekeete · ‎02-27-2014

Yes, you could either use an explicit setting (browser config/PAC/WPAD) or transparent (WCCP/PBR) to point to the first proxy and then the first proxy will route based on category to one of the two upstream proxies based on your policy configuration.

Best Regards,

Michael Hautekeete

Customer Support Engineer

Cisco Content Security - Web Security Appliance

http://www.cisco.com/en/US/products/ps11169/serv_group_home.html

https://supportforums.cisco.com/community/netpro/security/web

https://supportforums.cisco.com/community/feeds?community=2091

Ahmed Hassabo · ‎02-27-2014

in this Configuration can I achieve the Failover Or loadbalancer ?

Michael Hautekeete · ‎02-27-2014

Depending on what DR requirements you have, for load balancing/failover you would probably need 6 appliances total. 2 for the main proxy to either loadbalance with WCCP/physical load balancer or to have a backup in case of failover, and then the possibility of needing a backup for each of the upstream proxies.

The WSA's are in active/active mode and will require the failover be setup in whatever mechanism you are using to direct traffic to them (PAC/WPAD, load balancer, firewall, router, etc...)