Showing results for 
Search instead for 
Did you mean: 
Andrey Kornienko

WSA redundancy and WCCP questions

Hello! My customer bought a pair of S370 WSA prior to deployment planning. I need to deploy both of them into existing network and I'd like to ask few questions with somebody who knows how to do it.

1. As I know from manuals, WSA doesn't support any clustering but I'd like to use both of my S370 for redundancy. I'm planning to use WCCP only, no explicit proxy mode will be used. What methods can I use to deploy redundant WCCP cache on pair of WSA? If it possible, I'd prefer to use something like Active\Passive but not load balancing scheme. Does it have Centralized management feature like ESA to share configs between devices?

2. I have fusion router which "mixes" traffic from different vrf. Is it possible to configure router such way that every vrf(which corresponds every interface and different subnets) will be seen with its own ip address in internet or all of them will be using just WSA's address like in explicit proxy mode?

3. When I tried to test my WSA in explicit proxy mode prior to configuring WCCP, I found out that I can use it as a proxy without any authentication, just setting it's address and port in my browser. How can I disable explicit proxy mode or set any authentication(no LDAP or NTLM) to prevent unauthorized access to using my proxy?

I'm newbie with IronPorts so I will appreciate any help including links to manuals


Accepted Solutions

The WCCP protocol allows for automatic detection of all connected devices, both proxies and routers/firewalls/switches. When configuring WCCP with multiple WSAs, they're all in the WCCP cluster, with the router doing the load balancing beween the detected proxies. From what I've seen, you can't configure an active/passive scenario.

As you mentioned , WSAs don't support clustering seen in ESAs. You could use a M-series box to provide central management and reporting for multiple WSAs in your enviromment.

Regarding VRFs: WSAs support IP spoofing, which allows you to send out requests with the client's instead of WSA's external address. You could perform PAT of multiple addresses on the edge router/firewall to send the requests out with a different IP address for each VRF for example.

I don't think you can fully disable the explicit proxy on the WSA. You can set up a firewall rule to prevent direct client access to the proxy ports..

Sent from Cisco Technical Support iPad App

View solution in original post