Re: WSA Network Placement?

DamianRC · ‎08-26-2018

Currently a couple of WSAs sit on the inside network.

A network redesign is underway. Relocating the WSAs to the DMZ has been mentioned. I'm failing to find information in support of this(there nothing against it either). Why should this be done? Why shouldn't it be done? It isn't like anyone from the internet will access the appliance, but I could be missing something here.

I appreciate the assistance.

Ken Stieers · ‎08-26-2018

It depends on how you get the traffic to the WSA.

If you are using WCCP on the inside interface of an ASA, you CANNOT send the traffic through the firewall to the DMZ to the WSAs. The ASA won't let you.

Also, the WSA has to be joined to your AD if you're using that version of transparent authentication. I wouldn't cut those holes from the DMZ if I didn't have to....

DamianRC · ‎08-27-2018

Thank you very much for the insight.

We currently use proxy pac files to direct web-bound traffic to the
WSAs. The WSAs, mind you, are currently on the same segment as the host
computers (the network is flat and being redesigned for segmentation).

This really brings the proposed network design into question. In a
somewhat interesting approach, the FTDs will be the Firewall/Routed
network core. Below that are distribution/ aggregation 93180s. Below
that are 2960x access layer switches.

I like the idea of not poking unnecessary holes in the DMZ. But based on
the planed topology, where would the WSA be best placed?

Ken Stieers · ‎08-27-2018

With PAC files you'll be able to redirect the traffic out to the DMZ.

How are you going to do authentication? If you look at ISE-PIC (the replacement for CDA) you may be able to sent authentication info out to the WSA's. I think you'd still have to join the WSAs to the AD to make them completely happy...

Since the WSA is basically a stand-in for the workstation that browses the internet, I don't see it as any different than a workstation...

DamianRC · ‎08-27-2018

In the current scheme, the WSAs permit traffic to proceed without
authentication. This may be because open LDAP is used for directory
services. Are we missing much with this design?

This makes sense. However, since there will likely be multiple segments,
each of which with internet access, the WSA would need to be somewhere
accessible to all. I'm beginning to think an "Internet-Services-Zone"
off of the Firwall-Core would fit the bill.

Ken Stieers · ‎08-27-2018

OHHH. Yeah, in that case with OpenLDAP, you don't have the issue with the WSA joining an AD, so you'd just have to have a hole for the WSA to talk to your LDAP boxes, which would be cleaner.

We have a segment between the core and the firewall, that's where the WSAs and Email Security Appliances sit.

DamianRC · ‎08-28-2018

Ok, how about this?

Since WCCP on the FTD will not forward web-destined traffic to a DMZ
directly off of the FTD, will it forward it to an interface designated
as "outside," connecting to another edge firewall? The WSA would sit in
a zone hanging off of the edge firewall.

Thank you

Ken Stieers · ‎08-29-2018

No, WCCP can't forward traffic "through" the firewall.

Is your DMZ between the inside interface of an outer firewall and the outside interface of the inner fw?

You could use WCCP off of either of those (I'd do the WCCP on the inside interface of the outer firewall)

Ken

DamianRC · ‎08-29-2018

Thanks, Ken.

The "DMZ" is a Zone off of the outside FW. Not directly between the
outside and inside FWs. Now that you mention it, and based on some
additional reading, I might be better off using policy based forwarding
on the edge firewall. All 80 and 443 traffic would be forced to the
"DMZ" where the WSAs resides, then out to the internet.

My goal is to eliminate the proxy pac files, if possible.