Solved: WSA s170 setup question -urgent help needed

Manjunath S Chickmath · ‎11-12-2015

Hi Team,

can we have WSA set in the following way..

Users--> CoreSwitch-->WSA-->firewall--> internet router-> Internet

1) i will have default route to cisco wsa proxy from core switch

2) WSA will be on transperent and some of polices created and integrated with AD server for user authentication, WSA will have route towards to core and firewall too.

and there will be no PAC file on end users..

will this setup will work please ?

Ken Stieers · ‎11-12-2015

Logically the diagram works, but that's not how you'd hook it up. And DON'T set the default route to the proxy. Default route for all internet traffic should be the firewall... (eg. Set up your network as if the WSA didn't exist)

To integrate the WSA, plug the WSA P1 port into a port on the core that's on the same vlan as the inside port on the firewall.

Setup WCCP on the firewall (I'm assuming you're using a Cisco ASA) to redirect WEB traffic to the WSA.

Here's an older design guide that works:

http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2013/CVD-WebSecurityUsingCiscoWSADesignGuide-AUG13.pdf

View solution in original post

Siddharth Rajpathak · ‎11-12-2015

Hello,

Ken is right, we don't recommend using WSA as the default gateway from switch as WSA proxy can only handle HTTP, HTTPS, FTP and SOCKs traffic.

Apart from WCCP, you can use Policy Based routing to transparently redirect traffic from Core switch to WSA

The below article talks in depth about this:

http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118156-configure-wsa-00.html

Sid

View solution in original post

Ken Stieers · ‎11-12-2015

Logically the diagram works, but that's not how you'd hook it up. And DON'T set the default route to the proxy. Default route for all internet traffic should be the firewall... (eg. Set up your network as if the WSA didn't exist)

To integrate the WSA, plug the WSA P1 port into a port on the core that's on the same vlan as the inside port on the firewall.

Setup WCCP on the firewall (I'm assuming you're using a Cisco ASA) to redirect WEB traffic to the WSA.

Here's an older design guide that works:

http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2013/CVD-WebSecurityUsingCiscoWSADesignGuide-AUG13.pdf

Manjunath S Chickmath · ‎11-12-2015

Thanks for the reply and resoure document Ken,

some inputs- the real connectivity is as you said above , i mean, WSA P1 port into a port on the core that's on the same vlan as the inside port on the firewall.

2nd - i dont want to use the WCCP, as one of the core is 4500 it wont support..

so you mean to say dont use default route not a recomond..?

is there any other solution were i should not use the wccp, Pack file and achive this setups?

Siddharth Rajpathak · ‎11-12-2015

Hello,

Ken is right, we don't recommend using WSA as the default gateway from switch as WSA proxy can only handle HTTP, HTTPS, FTP and SOCKs traffic.

Apart from WCCP, you can use Policy Based routing to transparently redirect traffic from Core switch to WSA

The below article talks in depth about this:

http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118156-configure-wsa-00.html

Sid

Manjunath S Chickmath · ‎11-12-2015

Thank you...