06-09-2009 03:58 PM
After going through the deployment section of the user guide to try and have a better understanding of how to deploy the appliance, I find myself needing some answers, if I were to deploy the device as a transparent proxy. I hope someone can oblige.
1. The appliance can be deployed using WCCPv2 or a L4 switch, I understand that with WCCP traffic will be redirected to the appliance. Should this be all traffic or should it be http and/or https traffic only? The other method is to simply connect it to a L4 switch and the guide provides no explanation of how this works. How is this accomplished? Is it feasible to configure WCCP on the L4 switch and redirect traffic to the appliance as well?
2. L4 traffic monitoring can be accomplished by using a span port, network tap or a hub. If I am to also enforce blocking and not just monitoring it says that the Web proxy and the L4 monitor must be on the same network. I don't understand, why is this so? Does the L4 traffic monitor port need an IP address?
Thanks a lot and I hope someone can help.
06-10-2009 05:41 PM
1. The appliance can be deployed using WCCPv2 or a L4 switch, I understand that with WCCP traffic will be redirected to the appliance. Should this be all traffic or should it be http and/or https traffic only?
WCCP requires the specification of up to 8 ports to redirect. At a minimum you would need to redirect port 80. If you intend to do HTTPS proxy as well, you'd need to redirect port 443 as well as 80.
The other method is to simply connect it to a L4 switch and the guide provides no explanation of how this works. How is this accomplished? Is it feasible to configure WCCP on the L4 switch and redirect traffic to the appliance as well?
Each L4 switch will need it's own customized configuration, in order to redirect traffic. On a Cisco switch, you'd need to use policy based routing.
It's an either / or situation. You would use either WCCP or L4 policy based routing, never together.
If your switch supports WCCP, I'd highly recommend using it over policy based routing.
2. L4 traffic monitoring can be accomplished by using a span port, network tap or a hub. If I am to also enforce blocking and not just monitoring it says that the Web proxy and the L4 monitor must be on the same network. I don't understand, why is this so? Does the L4 traffic monitor port need an IP address?
the L4TM interfaces (T1/T2) are passive listening ports. They just see where your clients are accessing. In order to block this traffic, the L4TM will use the proxy interface (M1 or P1) in order to send a TCP RST packet to the offending client and server.
If the P1 interface is not on the same network as the L4TM passive ports, the RST sent out P1 will never get to the client.
06-11-2009 03:10 PM
Thanks a lot for your response, I know understand why it has to be in the same network I don't understand how it would work. Is it that in a multiple vlan environment a remote span vlan has to be setup for the L4TM port so that it can see all the traffic and ensure that both it and the P1 port are in the same vlan?
06-12-2009 05:38 PM
Multiple VLANs will work fine as long as the P1 interface has a route to the clients, so that the TCP RST is received.
06-16-2009 07:02 PM
Each L4 switch will need it's own customized configuration, in order to redirect traffic. On a Cisco switch, you'd need to use policy based routing.
It's an either / or situation. You would use either WCCP or L4 policy based routing, never together.
If your switch supports WCCP, I'd highly recommend using it over policy based routing.
the L4TM interfaces (T1/T2) are passive listening ports. They just see where your clients are accessing. In order to block this traffic, the L4TM will use the proxy interface (M1 or P1) in order to send a TCP RST packet to the offending client and server.
If the P1 interface is not on the same network as the L4TM passive ports, the RST sent out P1 will never get to the client.
06-17-2009 06:20 PM
scraig84,
You're confusing the difference between using an L4 switch (PBR) to route client HTTP traffic to the WSA proxy versus the Layer 4 traffic monitor (L4TM) functionality within the WSA.
The WSA proxy can receive HTTP traffic from clients via one of the following methods:
WCCP
L4 Switch PBR
Explicit browser configuration (includes .pac files)
The L4TM is a completely separate service that promiscuously sniffs traffic to learn DNS values, match IP black/white lists, and TCP RST 'bad' traffic'.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide