Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Deploying WSA with an Existing Proxy

Does anyone have this kind of setup?

Existing proxy is squid, MAC was used to filter users with internet connections.

No domain controller on the client side and has a dhcp environment.

Any tips?

Capt. Winters

New Member

Re: Deploying WSA with an Existing Proxy

Captain Winters,

Currently the WSA does not provide any filtering based on MAC addresses. All policies utilize IPs or authenticated usernames / groups. I do not believe MAC policies are on the road map, but I can file this as an enhancement request if it is something you desire.

Since you are using DHCP, I would typically recommend using authentication and building policies based on user / group. You state that you have no DC on the client side though.

If there is a DC near by, it can be used for authentication. Or if you have an LDAP server, that would suffice as well.

Hope this information helps.

New Member

Re: Deploying WSA with an Existing Proxy

Hi Josh,
Thanks for your reply.

They filter web access by manually defining the mac addresses of the clients on their current proxy (SQUID).

I will setup my ironport as downstream proxy which will point to the upstream proxy which is the SQUID.

Is there any configuration write ups on this one?

I already configured the ironport to have an UPSTREAM proxy which is the ip address of the SQUID proxy : port number.

As per manual, there are two options on the UPSTREAM , transparent and forward mode...which do i use and how do i configure the IRONPORT.

Would be highly appreciated...thank you.

capt. winters

New Member

Re: Deploying WSA with an Existing Proxy

Capt. Winters,

The WSA can can use the squid as both an explicit or transparent proxy. This will change how the WSA creates its own requests to fetch the objects.

With a transparent upstream proxy, there is nothing additional that needs to be done. The WSA will send it's requests to the configured default gateway.

With an explicit upstream proxy, you will need to enter your Squid's IP and port (typically 80 or 8080) to be used. The WSA will send requests directly to the Squid proxy, as opposed to the default gateway.

Both of these options are configured under the Network tab -> Upstream proxy.

The only real difference between not using an upstream proxy and using a transparent upstream proxy, is that with the latter the WSA will forward internal credentials upstream to the squid (if the squid is doing authentication).

CreatePlease to create content