11-12-2015 06:36 AM
Hi Team,
can we have WSA set in the following way..
Users--> CoreSwitch-->WSA-->firewall--> internet router-> Internet
1) i will have default route to cisco wsa proxy from core switch
2) WSA will be on transperent and some of polices created and integrated with AD server for user authentication, WSA will have route towards to core and firewall too.
and there will be no PAC file on end users..
will this setup will work please ?
Solved! Go to Solution.
11-12-2015 07:56 AM
Logically the diagram works, but that's not how you'd hook it up. And DON'T set the default route to the proxy. Default route for all internet traffic should be the firewall... (eg. Set up your network as if the WSA didn't exist)
To integrate the WSA, plug the WSA P1 port into a port on the core that's on the same vlan as the inside port on the firewall.
Setup WCCP on the firewall (I'm assuming you're using a Cisco ASA) to redirect WEB traffic to the WSA.
Here's an older design guide that works:
http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2013/CVD-WebSecurityUsingCiscoWSADesignGuide-AUG13.pdf
11-12-2015 10:21 AM
Hello,
Ken is right, we don't recommend using WSA as the default gateway from switch as WSA proxy can only handle HTTP, HTTPS, FTP and SOCKs traffic.
Apart from WCCP, you can use Policy Based routing to transparently redirect traffic from Core switch to WSA
The below article talks in depth about this:
http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118156-configure-wsa-00.html
Sid
11-12-2015 07:56 AM
Logically the diagram works, but that's not how you'd hook it up. And DON'T set the default route to the proxy. Default route for all internet traffic should be the firewall... (eg. Set up your network as if the WSA didn't exist)
To integrate the WSA, plug the WSA P1 port into a port on the core that's on the same vlan as the inside port on the firewall.
Setup WCCP on the firewall (I'm assuming you're using a Cisco ASA) to redirect WEB traffic to the WSA.
Here's an older design guide that works:
http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2013/CVD-WebSecurityUsingCiscoWSADesignGuide-AUG13.pdf
11-12-2015 09:50 AM
Thanks for the reply and resoure document Ken,
some inputs- the real connectivity is as you said above , i mean, WSA P1 port into a port on the core that's on the same vlan as the inside port on the firewall.
2nd - i dont want to use the WCCP, as one of the core is 4500 it wont support..
so you mean to say dont use default route not a recomond..?
is there any other solution were i should not use the wccp, Pack file and achive this setups?
11-12-2015 10:21 AM
Hello,
Ken is right, we don't recommend using WSA as the default gateway from switch as WSA proxy can only handle HTTP, HTTPS, FTP and SOCKs traffic.
Apart from WCCP, you can use Policy Based routing to transparently redirect traffic from Core switch to WSA
The below article talks in depth about this:
http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118156-configure-wsa-00.html
Sid
11-12-2015 10:49 AM
Thank you...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide