clustering configuration

Unanswered Question
Jan 17th, 2009
User Badges:

i m new to Ironport WSA so i need some information....
is there any document which can describe how to configure two WSA in failover or redundancy or clustering mode.

i want to know is any of them can be configured on web security appliance.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jowolfer Mon, 01/19/2009 - 17:50
User Badges:


There is currently not clustering / failover abilities built into the WSA.

Please be aware that if you are using transparent proxy with WCCP, the WCCP protocol inherently utilizes load balancing and failover if a problem happens on any web-cache devices within the same service ID.

IE: If you have two WSAs in a single service ID, traffic will be load shared between them and if one WSA fails, all traffic will be routed to the working WSA.

mac.til_ironport Mon, 02/02/2009 - 05:58
User Badges:

thanks for your reply,

But i have some little information that we can achive this using PAC file hosting facility on the box. Do you have any idea about that.

jowolfer Mon, 02/02/2009 - 15:53
User Badges:


It is possible utilize multiple WSAs by writing a .pac file script.

We cannot assist in writing, modifying, or maintaining .pac file code, but I have a pac file example that may help.

This is for load balancing between 2 proxies:

function FindProxyForURL(url,host){
case 1: return "PROXY wsa.proxy1:3128";
default: return "PROXY wsa.proxy2:3128";

function URLHash(url) {
if(!server_name) {return url.length;}
return server_name.length;

RBC____CS Fri, 02/06/2009 - 22:00
User Badges:

What about an example for failover via pac file?

I have looked at using

return "PROXY ironport:8080; PROXY otherproxy:8080";
but I am not clear if traffic will push over to otherproxy randomly or only if ironport1 is not available or times out.

Any thoughts or suggestions?
jowolfer Tue, 02/10/2009 - 16:06
User Badges:

The following can be used for a simple failover:

function FindProxyForURL(url,host) {
return "PROXY ironport:8080;
PROXY otherproxy:8080;

bartknippenberg Tue, 06/16/2009 - 11:45
User Badges:

Hello josh,

Are there plans to implemented real failover not using wccp or an external loadbalancer? Like for example vrrp as used by bluecoat?

Best regards


jowolfer Tue, 06/16/2009 - 17:10
User Badges:


We do have a feature request for this functionality, but I do not have any roadmap information for it.

Enhancement: 38634 Ability to setup WSA as Active-Standby failover in forward proxy mode

I recommend bringing this up with your sales representative as well, so that we can properly log the importance for this feature.

Tim Jackson Thu, 06/18/2009 - 17:45
User Badges:

The failover should only occur if the first proxy is no longer pingable. That's my experience anyway. Also, you might need to host the pac file on another webserver. If you host it on say proxy1, and it's the one that goes down, the browser won't know how to get to proxy2. I guess you could host it on both and roundrobin the DNS record. Anyone else doing that?



This Discussion