Showing results for 
Search instead for 
Did you mean: 

WSA Network Placement Best Practice

Tim Jackson

We are currently looking to move to virtual appliances and in the process simplify our design a bit. In our current layout (explicit forward), we have P1 on the internal network and P2 in the DMZ. We don't like giving our virtual infrastructure access to both internal and DMZ VLANS. My thought is to use a single interface design on the WSA (P1) and place it on our internal network with an outbound only direct NAT'd connection to the internet.

What is the best practice in this case? If it is one internal interface only, should it be segmented into it's own VLAN for any reason? We would normally place it in our server VLAN.



5 Replies 5

Ken Stieers
VIP Advisor VIP Advisor
VIP Advisor

We have a vlan that's "between" the servers and the firewalls, and put the WSA there...

Since we're using WCCP, and we fail open, we don't nat it to its own IP externally so my workstations always look like they're coming from the same IP.   There's no reason you couldn't/shouldn't NAT it though...


Not sure there is a Best Practice as no two networks are the same. However, a good practice would be to have the gateway of last resort, IE the firewall use WCCP to redirect whichever protocols you want the WSA to scan, http, https, ftp, etc. and redirect all that traffic to the WSA, then static NAT the WSA to a public IP so all traffic to the net comes up as the WSA.

An upside of this, when you have an incident and need to track down who did what based on the public IP, you will have to know where the destination was, then go through the logs on the WSA to find the internal IP involved, where if you were just natting out to the internet , you won't have those records.

Another upside, if you have servers, or other hosts that need to bypass WSA, either permanent or temporary, you can create a WCCP exemption on the firewall for that host instead of having to write rules on the WSA and hope they work, as they don't always work as I keep finding out.

I am not 100% certain you could do this, but maybe have one interface in the Inside for internal host proxy, and another interface in the DMZ for DMZ proxy? 

Re: wccp bypass :   I've found that forcing a wccp restart (kick the proxy, change the wcxp logging level, disable/enable wccp on the firewall there may be othera) will make it pick up the bypass settings.  And recently (since 9.1??) I haven't needed to...

If you do AD authentication with the Proxy, whenever you kick the proxy, unless they are using NTLM with IE, they will need to reauthenticate, and MAC users are the WORST when it comes to this! :)

We use CDAs, so the auth happens transparently and I'm blessed with zero MACs...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: