Sophos Web Appliance: Integrating the Appliance with the Web Cache Communication Protocol (WCCP)

  • Article ID: 110419
  • Rating:
  • 4 customers rated this article 3.8 out of 6
  • Updated: 28 Mar 2013

The Web Cache Communication Protocol (WCCP) was developed by Cisco Systems. The protocol routes traffic in real time, redirecting web requests to Sophos Web Appliances. To enable WCCP integration use the Configuration|Network|WCCP page.

Some benefits of WCCP deployment include transparent redirection of web traffic, load balancing, scaling, and fail-safe mechanisms. WCCP implementation does not require additional proxy settings or client configuration. WCCP can use either Layer 2 MAC Address Rewrite (L2) or Generic Encapsulation (GRE) to redirect traffic to the Web Appliance. You should choose the forwarding method appropriate for your routers according to your organization's infrastructure, network topology, and security requirements.

WCCP Infrastructure

WCCPv2 allows up to 32 routers (WCCP servers) and up to 32 Web Appliances (WCCP clients) to be connected into a service group.


Fig. 1: A typical WCCPv2 network structure

WCCPv2 adds MD5 shared secret identity, that allows Web Appliances to provide passwords in order to join service groups (recommended). WCCPv2 also supports any IP protocol, including TCP and UDP.

Most Cisco routers can be configured to use WCCPv2 or WCCPv1, while some routers may have limited WCCP support. WCCPv1 is a legacy protocol that only supports a single WCCP router in a service group, and only HTTP (TCP port 80) traffic flow.

Note: Please contact a Cisco technical support center for specific instructions for your WCCP-enabled router.

For more information on WCCP, consult the following resources:

This article covers the following:

Integrating WCCP with your Sophos Web Appliance

Important: Do not restart or reboot your router if WCCP integration does not work on your Web Appliance (this causes a router outage and may disrupt your network). Instead, restart the WCCP service on the router.

Enable and Configure WCCP Integration

To enable integration between your Web Appliance and WCCP routers, use the Configuration|Network|WCCP page. Your deployment can be in either Transparent Mode or Bridged Mode.

  1. Enable the WCCP service on your routers.
  2. Toggle the WCCP integration button to the On position.
  3. Under Forwarding method, select GRE or L2.
    Important: You must turn WCCP off on all Web Appliances for at least 30 seconds when you switch between the GRE and L2.
    • For optimal performance, select L2, if there are no other routers between the WCCP router and the Web Appliance. (In this example, the IP address of interface is the IP address of the WCCP router.)
      Note: Not all versions of the Cisco Internetwork Operating System (IOS) support L2 MAC Address Rewrite. Check whether the IOS on your router supports L2, and either upgrade your router, or use GRE instead.
    • You must choose GRE if your network has more than one router between the WCCP router and the Web Appliance, or if your network topology has specific hardware or firewall requirements. (In this example, the IP address of interface is the IP address of the WCCP router.)

      Most Cisco WCCPv2-capable routers support GRE. Although GRE works in most network topologies, it is slower than L2. GRE must be selected if the Web Appliance and the WCCP router are not on the same IP subnetwork, or if the network topology has specific hardware or firewall requirements.
  4. Enter the IP addresses for your routers.
    • For routers using a multicast IP address, enter an IP address, and click Add. The address can range from 224.0.0.0 to 239.255.255.255.
    • For routers with unicast IP addresses, enter an IP address, and click Add for each router.
  5. [Optional] Enter a password under Service group password to ensure the Web Appliance only accepts requests from authorized WCCP routers.
  6. Click Apply.
  7. If the initial setup is successful, traffic will begin to flow through the Web Appliance. However, if the initial setup fails, the System Status will display a critical error after 3 minutes.
    Note: When a Web Appliance with an incompatible forwarding method attempts to join a WCCP service group, a Cisco router detects that an unusable proxy has joined, but may not update the router's record. To correct this, you must disable WCCP on the router, and then re-enable it, clearing the list of known routers.

Back Up Your Network Settings

The Web Appliance does not back up network settings, so WCCP settings are not part of the on-demand or on-schedule system configuration data backup. Create and maintain a detailed network diagram that shows the relationships between your Web Appliances and WCCP routers before you attempt to reconfigure or expand your infrastructure. This allows you to recover from network service disruption more easily.

Manage WCCP Integration on Joined Web Appliances

A Management Appliance does not control network settings for joined Web Appliances. Also, WCCP settings are not part of the centralized configuration data. Thus, WCCP integration has to be enabled and configured separately on each joined appliance.

View System Alerts

The Web Appliance monitors its connection with WCCP routers. If there is no connection for more than one minute, the system displays a red critical error and sends an email notification to the Alert Recipients every 2 hours.

Controlling the WCCP Service on a Cisco Router

Important: These instructions only apply to certain versions of the Cisco Internetwork Operating System (IOS). Thus, they should be regarded as general guidelines only.

To stop, start or view the status of the WCCP service on a Cisco router:

  1. Connect to the router using SSH or a serial cable and terminal software. When you connect to the router, the router# prompt will appear.
    [Optional] To enter a password, add password [password] to your commands.
    • To view global WCCP information, enter show ip wccp web-cache.
    • To view WCCP router and client information, enter show ip wccp web-cache view.
    • To view detailed WCCP information, enter show ip wccp web-cache detail.
  2. To enter configuration mode, type configure terminal and press Enter. When you enter configuration mode, the prompt will change to router(config)#.
    • To stop the WCCP service, enter no ip wccp web-cache.
    • To start the WCCP service and accept requests to join a service group as L2 only, enter ip wccp web-cache accelerated.
    • To start the WCCP service and accept requests to join a service group as GRE or L2, enter ip wccp web-cache.
  3. To leave configuration mode, type exit and press Enter.
  4. To disconnect from the router, type exit and press Enter.

Troubleshooting WCCP Infrastructure

L2 Only

The WCCP router accepts requests to join a service group as L2 only and redirects traffic to Web Appliances as L2.

If a Web Appliance tries to register itself as GRE, the WCCP service on the router could become unusable for all Web Appliances that have already joined the service group. There are two possible solutions:

Solution A: Set all Web Appliances to L2 only

Solution B: Set all Web Appliances to GRE

GRE or L2

The WCCP router can accept requests to redirect traffic to the Web Appliance using GRE or L2. However, certain limitations require specific Web Appliance settings:

  • If the first Web Appliance uses GRE to join a service group, then all subsequent Web Appliances must also use GRE. This also applies to L2.
  • If the router uses GRE, a Web Appliance will not be able to register itself in L2 mode successfully. Web Appliances using GRE will be able to join 30 seconds after you stop the Web Appliance that uses L2. This also applies to appliances using GRE which try to join a router using L2.
  • When all previously joined Web Appliances using GRE have all been disconnected from the router, the router will switch back to accepting Web Appliances in either GRE or L2 mode. This also applies to Web Appliances that use L2.

Service Groups with Multiple Routers

Within a service group, all WCCP routers may redirect traffic to Web Appliances running as GRE or L2. However, all WCCP routers and Web Appliances within a service group must use the same redirect method.

WCCP and Directory Services Integration

Active Directory Integration

WCCP and Active Directory (on the Configuration|System|Active Directory page) can only be integrated with the Web Appliance in transparent mode or bridged mode.

The Authenticate all requests against Active Directory and the Sophos list of applications options are only available in explicit mode. Otherwise, transparent Active Directory authentication is enabled implicitly.

Internet Explorer 7 and 8

Internet Explorer provides automatic authentication and requires no client configuration.

Firefox

When the Web Appliance uses Active Directory authentication in transparent mode, and WCCP provides load balancing between two or more Web Appliances, Firefox users are prompted to enter a username and a password once per appliance. To avoid these prompts, configure Firefox to connect automatically.

  1. In the Firefox address bar, type about:config.
  2. In the Search text box type ntlm.
  3. Double click network.automatic-ntlm-auth.trusted-uris to edit the field.
  4. Enter the hostname(s) of the Web Appliance(s).

eDirectory Integration

WCCP and eDirectory (on the Configuration|System|eDirectory page) can only be integrated with the Web Appliance in Transparent Mode or Bridged Mode. The appliance requires no additional client-side or web browser configuration.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments