we currently use proxy.pac files to loadbalance client sessions to one of two WSAs.
The main concern however is High availability not loadbalancing: upon failure of one WSA the clients should transparently switch to using the other one without user or administrator intervention.
We're recognizing sporadic problems mostly with HTTPS traffic but with plain HTTP as well.
Some requests just return server not found errors that seam to derive from timeouts on the client side (the message is not from the WSA but a standard client error page). Tracking down these problems the question of the right loadbalancing method arose as well.
From Your experience:
What is the best method for HA (and loadbalancing) concerning reliability?
For HA, I think wccp is the only option.
However, we have spent a lot of time tried to get wccp work 100%, but there were always some new issues with it...and finally we decited to go for pac-script instead. Works perfect
I agree with Hallvard. The most common HA deployment we see here at Cisco IronPort is WCCP. Hallvard is also correct that WCCP can be a pain to get working properly depending on your existing infrastructure and which devices you're using as the WCCP router.
For example, WCCP on the ASA will only work if both the clients and the web cache (WSA) exist on the same interface, you can't have the WSA off of a 3rd leg.
You can perform WCCP redirect with either a router, layer3 switch, or ASA/PIX. Since the setups are heavily environment specific, we always recommend that the Sales Engineering team assist in planning, deployment, and configuration of WCCP.
We do have a few KB articles which can help shed some light on how WCCP is configured and some common questions about it:
http://tinyurl.com/58rqk2 : Overview and various tidbits of info
http://tinyurl.com/362kgd3 : WCCP router config
http://tinyurl.com/6humz5 : How to NOT redirect local servers
http://tinyurl.com/dcpuxk : Config Examples for Catalyst switches running WCCP
Zoltan, we use WCCP and have no problem here (~7000 users, HA with ASA). We're in the process of implementing HTTPS filtering so I'm not sure yet how the boxes will react once we turn on the switch. Using the web proxy autodiscovery protocol may open your network to other threats.
The most common issue with running HTTPS on the WSA and redirecting all port 443 traffic, is that if there is non-standard HTTPS (HTTP over SSL), the WSA will break the connection. Custom streams over 443 are not supported.
Currently, the WSA only negotiates TLS upstream to the WSA, so any sites that force SSLv3 or SSLv2 will break unless they are in the transparent bypass list.
Thanks for the answers back then.
I assume that the isues with SSLv2/3 are solved meanwhile.
Currently I'm looking for a clean solution via classical loadbalancers.
I'd be specially interested in Direct Server Return and XFF Headers.
could anyone share his experience?