We are currently looking to move to virtual appliances and in the process simplify our design a bit. In our current layout (explicit forward), we have P1 on the internal network and P2 in the DMZ. We don't like giving our virtual infrastructure access to both internal and DMZ VLANS. My thought is to use a single interface design on the WSA (P1) and place it on our internal network with an outbound only direct NAT'd connection to the internet.
What is the best practice in this case? If it is one internal interface only, should it be segmented into it's own VLAN for any reason? We would normally place it in our server VLAN.
We have a vlan that's "between" the servers and the firewalls, and put the WSA there...
Since we're using WCCP, and we fail open, we don't nat it to its own IP externally so my workstations always look like they're coming from the same IP. There's no reason you couldn't/shouldn't NAT it though...
Not sure there is a Best Practice as no two networks are the same. However, a good practice would be to have the gateway of last resort, IE the firewall use WCCP to redirect whichever protocols you want the WSA to scan, http, https, ftp, etc. and redirect all that traffic to the WSA, then static NAT the WSA to a public IP so all traffic to the net comes up as the WSA.
An upside of this, when you have an incident and need to track down who did what based on the public IP, you will have to know where the destination was, then go through the logs on the WSA to find the internal IP involved, where if you were just natting out to the internet , you won't have those records.
Another upside, if you have servers, or other hosts that need to bypass WSA, either permanent or temporary, you can create a WCCP exemption on the firewall for that host instead of having to write rules on the WSA and hope they work, as they don't always work as I keep finding out.
I am not 100% certain you could do this, but maybe have one interface in the Inside for internal host proxy, and another interface in the DMZ for DMZ proxy?