I have two s370's on their way. Does anyone know if there is
built in HA or some type of redundant setup? I only have one
main campus and everyone uses same internet pipe. I want to have an active/standby setup if possible.
Any advice/comments are appreciated,
Thanks in advance,
meanwhile you probably found out ourself that loadbalancing WSAs is done either by proxy.pac or by WCCP.
There is some advice in the documentation.
The most common HA deployment we see here at Cisco IronPort is WCCP. Note that WCCP can be a pain to get working properly depending on your existing infrastructure and which devices you're using as the WCCP router.
For example, WCCP on the ASA will only work if both the clients and the web cache (WSA) exist on the same interface, you can't have the WSA off of a 3rd leg.
You can perform WCCP redirect with either a router, layer3 switch, or ASA/PIX. Since the setups are heavily environment specific, we always recommend that the Sales Engineering team assist in planning, deployment, and configuration of WCCP.
We do have a few KB articles which can help shed some light on how WCCP is configured and some common questions about it:
http://tinyurl.com/58rqk2 : Overview and various tidbits of info
http://tinyurl.com/362kgd3 : WCCP router config
http://tinyurl.com/6humz5 : How to NOT redirect local servers
http://tinyurl.com/dcpuxk : Config Examples for Catalyst switches running WCCP
You can also use a .pac file for deploying load balancing, but I'm not personally too familiar with the benefit / risk from it. I have seen in the past where certain browsers interpret the same .pac file differently and it can be difficult to troubleshoot why. For example, IE 6 and IE 7 don't properly send certain local servers direct (bypass proxy), but IE 8 and FF do. It's typically a rare occurrance, but I've seen it happen a few times before.
Chapter 5-19 in the WSA 7.1 User Guide has information on .pac files and various deployments.
The .pac script below has been recommended in the past. It supports load balancing and redundancy. I can't really get into the specifics of modifying it for your needs, since we don't write pac scripts in support (most of the Sales Engineer team can assist with this), but I wanted to provide it as an example:
function FindProxyForURL(url, host)
else if (shExpMatch(host, "ssl.ironport.com"))
return "PROXY 10.0.89.20:80";
else if (shExpMatch(host, "*.ironport.com"))
else if (shExpMatch(host, "10.*"))
else if (shExpMatch(host, "192.168.*"))
else if (shExpMatch(host, "127.0.0.1"))
else if (shExpMatch(host, "18.104.22.168"))
else if (shExpMatch(host, "22.214.171.124"))
else if (shExpMatch(host, "gateway.ywremote.co.uk"))
else if (shExpMatch(host, "*.virginia.gov"))
return "PROXY 10.160.59.20:80";
else return randomProxy();
switch( Math.floor( Math.random() * 2 ) )
return "PROXY 10.0.89.21:80; PROXY 10.0.89.20:80";
return "PROXY 10.0.89.20:80; PROXY 10.0.89.21:80";
In this exampel there are two proxies defined: 10.0.89.20 and 10.0.89.21. Any occurrance of DIRECT moves to go direct without using a proxy and PROXY x.x.x.x:x means to use that specific proxy. There are some specific declarations to send certain sites to a specific proxy and than a random catch all to randomize all else.
This pac file supports 2 WSAs. If there were more than that, I would imaging the end of this pac could be modified, but I'm not certain on the specifics.