Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
881
Views
0
Helpful
2
Replies

WSA deployment question

Josh Sprang
Level 1
Level 1

‎12-05-2012 09:06 AM

We currently have and inline content filter we are upgrading to a Cisco WSA.  I am in the final stages and I have a couple of questions in regards to the deployment of the device.  I would like to use WCCP to do this and I have a few questions.

Currently we have four sites all connected via MPLS and Internet at the main site.  All sites have a layer three termination on a 4507 with multiple interface VLANs.  Everything feeds back to the main site ASA cluster for internet. 

My question is can I deploy the WSA cluster at the main site and use WCCP? Can I config WCCP on the ASA for filtering for everything?   In the deployment guides it says that the hosts have to be layer 2 adjacent to the WCCP redirector.  So according to that should I put WCCP on all the 4507 VLAN interfaces back to the WSA at the main site?    

I have not used WCCP and trying to get an idea of how it all works the guides are a little confusing to me.  Thanks.

Labels:
0 Helpful
2 Replies 2

Ken Stieers
VIP
VIP

‎12-05-2012 09:39 AM

Josh,

My question is can I deploy the WSA cluster at the main site and use WCCP? Yes

Can I config WCCP on the ASA for filtering for everything? Yes

In the deployment guides it says that the hosts have to be layer 2 adjacent to the WCCP redirector. So according to that should I put WCCP on all the 4507 VLAN interfaces back to the WSA at the main site?  No need to do this, you can just use the WCCP off of the ASA.  You DO have to make sure that its adjacent to the port that you're running the WCCP on (eg if its the inside port, it has to be adjacent to that port, you can't put the WSA in the DMZ)

One way to think about WCCP is a publish/subscribe model.  The ASA is publishing, but it doesn't send traffic to anyone unless it has subscribers.  You can limit the subscribers access lists...

A couple of things:

What version ASA are you running?  Pre 8.2 there were some WCCP issues that made it unstable.

How many WSA's do you have?  If you have more than 1, you need to add access entries so that outbound traffic from one WSA doesn't get WCCP'd over to the second WSA... (see this article https://ironport.custhelp.com/app/answers/detail/a_id/1603/kw/wccp)

Hope that helps.

Ken

0 Helpful

Chetankumar Phulpagare
Cisco Employee
Cisco Employee

‎12-06-2012 10:39 PM

Hi Josh,

Adding to previous answer, you can find detailed steps in

http://www.cisco.com/en/US/docs/solutions/SBA/August2012/Cisco_SBA_BN_WebSecurityUsingWSADeploymentGuide-Aug2012.pdf

Regards,

Chetan

0 Helpful
Customers Also Viewed These Support Documents