ProxySG & Advanced Secure Gateway

 View Only
  • 1.  Transparent Proxy Physical Connectivity

    Posted Feb 23, 2021 01:58 PM
    Hello there,

    We are trying to implement transparent proxy and need High Availability in Active/Standby configuration. My concern is how to do the physical connectivity for the virtually in-line implementation. Do we just use the same interface that connects the wccp router for redirection where the proxy is connected? Or we can use two different ports on the wccp router, one where the proxy is connected and one where the router receives the internet traffic from the clients? What will be the configuration on each port on the wccp router in this case? I have seen documents and it just concerns the one interface where wccp redirection is done.

    Also, how to implement Active/Standby HA in this scenario. I would appreciate any design reference that shows the physical connectivity and basic configurations.

    Thanks in advance


  • 2.  RE: Transparent Proxy Physical Connectivity

    Broadcom Employee
    Posted Mar 02, 2021 10:33 AM
    Hello Abdul, 

    1. Unless HA Active/Standby is a requirement, its best to let the WCC do the load balancing between the two nodes and in case one fails the WCC will send all the traffic to the one that is still Online, the WCC has these functions built in and it does an amazing job, no additional configuration is needed on the proxy, this is how one would take advantage of having two proxies running on low RPMs(lower risk) vs one proxy proxy handling all the load.
    2. For the failover features of the WCCP (Cisco proprietary protocol)  and the device that are a part of the same group or different groups , would recommend consulting with a cisco specialist, but it could just as simple as playing around with the Weight Values, or Mask Values or Buckets.
    3. There is also a possible option that may work for the HA Active/Standby of the two proxies in the same WCC Group,a. Configure the HA on the Proxy for a Active/Standby using a (1) Virtual IP , how to configure failover KBb. The Virtual IP used for the HA will be the one that you used to configure the WCC on each proxy and on the WCC Home Router setting as that Virtual IP will be the Proxies IP for traffic.
    The idea in option 3 is that when you have two proxies in HA Active /Passive configure using one Virtual IP , the switch that is connected to both of the proxies will only send traffic to the Proxy that is Active, as soon as the Active device is no more , the passive device becomes Active and the switch learns a new MAC for the same IP and starts sending traffic to the new ACTIVE device, but from the WCC Routers perspective nothing really changes as it may not even notice the difference as the IP of the proxy does not change at all.

    The option #3  i have not personally done before , but knowing how this works makes this a sound option (theoretically), however going with the option #2 will be way less work, but unfortunately not a cisco specialist so cant specify what exactly needs to change on the WSS Home router.

    I hope this helps steer the right direction.
    Slava 
    ​​​