IronPort Failover

Answered Question

Hello all,

Recently we got Ironport and setup for our web security.  This is working fine so far.  What I am looking now is to setup another Ironport

as failover.  Checked the document and there isn't a clear explanation how to do this.  Search the web and so far I have no luck.

Have anyone setup failover for Ironport?

In my environment, I have a pair of ASA and this setup as a stateful failover so I am thinking to setup Ironport same way if there is a such

feature in the Ironport.  Also if the primary ironport dies, it should automatic failover the secondary if possible.  Well that is a thought but

not sure the licensing will fit into those scenario.  The ironport is S160 and version of AsynOS is 6.3.3.

Thank you for your help in advance.

I have this problem too.
0 votes
Correct Answer by edadios about 6 years 4 months ago

The WSA does not have a failover mechanism similar to the ASA.

If you are configured for transparent proxy, and using wccp, that mechanism handles the redirection to a live proxy server.

If you are configured for explicit forward, you could use a PAC file similar to this, for sending clients to a live proxy server.

function FindProxyForURL(url,host)

{

/* bunch of if statements for internal subnets/sites - all return "DIRECT"  -not related to this test-*/

return "PROXY 10.66.71.17:80; PROXY 10.66.71.19:80; PROXY 10.66.71.21:80";

}

More infomration on WCCP here :

http://tinyurl.com/265olc4

http://tinyurl.com/24cox4s

And the WSA documentations will have information about wccp.

More information o PAC files here :

http://tinyurl.com/yatdyb4

And more on WSA documentation

I hope this information helps you.

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
edadios Tue, 08/03/2010 - 17:05

The WSA does not have a failover mechanism similar to the ASA.

If you are configured for transparent proxy, and using wccp, that mechanism handles the redirection to a live proxy server.

If you are configured for explicit forward, you could use a PAC file similar to this, for sending clients to a live proxy server.

function FindProxyForURL(url,host)

{

/* bunch of if statements for internal subnets/sites - all return "DIRECT"  -not related to this test-*/

return "PROXY 10.66.71.17:80; PROXY 10.66.71.19:80; PROXY 10.66.71.21:80";

}

More infomration on WCCP here :

http://tinyurl.com/265olc4

http://tinyurl.com/24cox4s

And the WSA documentations will have information about wccp.

More information o PAC files here :

http://tinyurl.com/yatdyb4

And more on WSA documentation

I hope this information helps you.

Regards

Thanks Edadios.  The way setup now is using wccp and when tested with ASA failover to secondary and www traffic is still being monitored

by the ironport (single deployment) but I think the L4 traffic will not which is fine.  Now if the second ironport going to be onlineI just want to

confirm this is how a pair of ironport will work:

Let say ironport 1 is 172.16.1.1 and ironport 2 is 172.16.1.2 both connect to switch 1 and switch 2 respectively and same as ASA1 and ASA2.

and let say ASA1 is 172.16.2.1 and ASA2 is 172.16.2.2.

If ASA1 fails everything should be follow to ASA2 and Ironport 2 and if ironport 1 fails all monitor should be on ironport 2 and traffic will go

through ASA1.  Since I am new with this will spend sometime to understand the PAC file.

edadios Wed, 08/04/2010 - 15:41

The Ironport is not aware of failover. It is only aware of traffic being sent to it.

The setup should have the switches trunked to each other, so that traffic will pass either switch, to either ASA that is active, and then on to whichever the WCCP protocol chooses as Ironport to forward the traffic to.

Whichever ASA is active in a failover setup, will use the configuration of WCCP, which handles how the traffic is forward to the Ironports configured in the WCCP process.

I hope this answers your query.

Regards

Actions

This Discussion