will transparent mode support in cisco 3560 switches unlike wccp which cant be support , according the documents transparent mode is configured between router and firewall. is transparent mode has the same featues like wccp where all traffic are passed through webwasher .
Transparent Mode in MWG 7 is not dependant on any hardware - you could do policy based routing for example, which means hat port 80 and 443 traffic is routed to MWG or you could also deploy in bridge mode.
Sorry Marek in MWG 7 WCCP config it is different than 6.8, I am trying to configure it now in my lab and it does not work. Then it would be very useful if any could attach a screenshot of WCCP configuration page. Current product guide has no example of wccp configuration.
Taken from a colleague's paper (Kudos to Mr. Ebeling ) :
It is usually best to set up and verify the operation of McAfee Web Gateway as an explicit proxy prior to attempting to configure WCCP. If authentication will be used, set it up at the Authentication Server with cookie authentication or auth server redirect. Test the authentication with a browser using McAfee Web Gateway as a non-transparent proxy.
WCCP configuration on McAfee Web Gateway 7.x is fairly simple. The configuration of WCCP is done through the GUI, and most of the configuration is done in the Configuration > Appliances > <specific appliance> > Proxies (HTTP(S), FTP, ICAP and IM) section:
Select Proxy and WCCP
Add a service:
The service ID must match router config and it is highly recommended to only use a value from 51-98. Service IDs 0-50 are static and reserved for “well known services” with predefined configurations. Service IDs 51-255 are dynamic and involve negotiation between the WCCP peers. This configuration shows 51 for the service ID. “Web-cache” is a Cisco reserved keyword that refers to well-known Service ID 0 and will only redirect port 80 regardless of port settings in the MWG GUI. See also: http://www.ciscopress.com/articles/article.asp?p=1192686&seqNum=2 this article focuses on WAAS but includes useful information about WCCP.
WCCP router definition
The router, switch, or firewall address that is configured in the Router field should be on the same subnet as one of the McAfee Web Gateway interfaces, but if the router, switch or firewall is set up to use GRE, WCCP can traverse multiple router hops and subnets. MAC rewrite cannot.
Multiple McAfee Web Gateways can connect to the same router to support load balancing and failover. Set up a McAfee Web Gateway cluster with Central Management and make sure that each McAfee Web Gateway has the same value in the “Router” field. The first McAfee Web Gateway to come up and establish contact with the router will “assign buckets.” When a McAfee Web Gateway comes on or off line, buckets will be automatically reassigned. If the “bucket assigner” goes off line another McAfee Web Gateway will take over bucket assignment.
If WCCP is configured on the router and no peer (McAfee Web Gateway) is active in the service group, the router will just let the requests through, without redirection. If fail close (valve model, traffic blocked), is desired in a single McAfee Web Gateway deployment, configure the firewall to only allow web traffic from McAfee Web Gateway. If fail open (valve model, traffic allowed), is desired in a single McAfee Web Gateway deployment, configure the firewall to allow web traffic from any IP. Some Cisco IOS versions allow “fail-open” or “fail closed” to be configured on the router or switch.
WCCP v2 supports multiple routers connecting to a single service supported by a single cache, or group of caches, by using a multicast address, or entering multiple addresses in the router field. McAfee Web Gateway 7.x supports this feature in addition to multiple McAfee Web Gateways working with a single router (supported since 6.5).
Multiple routers can be listed in the Router field or a multicast address can be used. Note that if a multicast address is used, “group-address” and “group-listen” must be used in the router or switch configuration.
Ports to be redirected
The configuration above uses WCCP v2, which supports multiple ports. Any ports that need to be filtered and treated as SSL, other than 443, must also be added under Proxies > Web Proxies > HTTPS Proxy > Settings > Transparent SSL Scanning Setup. If WCCP v1, is used, there are no configuration options available on McAfee Web Gateway and only port 80 traffic will be filtered.
Proxy listener IP address and Proxy listener port
Use the IP address and port that are set up for transparent proxy under Configuration > Appliances > <specific appliance> > Proxies (HTTP(S), FTP, ICAP and IM) > HTTP Proxy section. It is recommended that you specify both the IP address and the port of any proxy (otherwise the port will be open on all interfaces).
Note that “Serve transparent requests” and “Transparent common name handling for proxy requests” are checked. These are similar settings to those described in 6.x above.
MD5 authentication key
MD5 authentication is optional, but if used, must match the router configuration.
Input for Load Distribution
When running multiple appliances, load distribution can be configured for the proxies on them. Data packets can be distributed to these proxies based on the masking of source or destination IP addresses and port numbers or on a hash algorithm.
· Destination port — When selected, load distribution relies on the masking of the destination port numbers.
The bucket assignment method is the method used by WCCP to determine which McAfee Web Gateway to use for the redirection. Certain Cisco switches and routers will only support MASK assignment. See the documentation for the software revision and hardware model of the switch or router. ASA and PIX firewalls currently support only HASH assignment.
The assignment weight field is used to enable unequal distribution of traffic across multiple MWG appliances. The value assigned to each appliance is the relative proportion of traffic the MWG should handle. The load assignment for a particular MWG will be its assignment weight divided by the total of all weight values assigned among all active MWGs in the same service group. For example in a group consisting of 2 1100s and 1 500, it might be advisable to assign weights of 50 to each of the 1100s and a weight of 25 to the 500. If all 3 appliances are up and available, 40% of the traffic would go to each of the 1100s (80% total) and the remaining 20% would go to the 500. If one of the 1100s was unavailable 66% of the traffic would go to the remaining 1100 and 33% would go to the 500.
Forwarding Method and L2 Redirect Target
With 6.8.0 and later the forwarding method can be selected as GRE encapsulation or L2-rewrite (MAC rewrite). Certain Cisco switches and routers only support L2-rewrite. Note that L2 rewrite requires that the McAfee Web Gateway is in the same layer 2 broadcast domain as the switch or router interface to which it is connected. When doing L2-rewrite the interface connected to the router or switch must be correctly specified as the MWG L2 Redirect Target. As of this writing, Cisco firewalls only support GRE encapsulation.
I am trying to setup WCCP on MWG 7.1.5 which now has only one option "proxy (optional WCCP)
I have setup the cisco ASA part and have also setup the MWG - WCCP with appropriate listener address, WCCP router, Listener port: 9099 etc etc.
I need some help with setting up policies . The reason why we want to implement WCCP, is to force all un-authenticated users (indivduals who bring thier own laptops and are NOT on Domain) to pass through MWG-WCCP so we can at least scan for malware and implement some policies to that particular traffic i.e block nudity, block video streaming etc.
So far I have this and I am not sure what level should I insert and best practice so that the un-authenticated traffic doesnt get blocked or flagged on other rule sets down the chain
The rule below "Direct Proxy Authentication" is set to port 9090. This is for AD authenticated users and it is being succesfully checked under user Database
any screenshots that will help me setup WCCP for un-authenticated traffic with some rules i.e malware scan, block nudity etc, would be great.
I just had a quick look, but I would think that you need to configure "AND Proxy.Port equals 9099" instead or "OR Proxy.Port equals 9099". With "OR" the condition is most likely always true and not depending on the port a request comes in.
Thanks asabban. I have corrected the Mistake. I am still not clear on a few things. Where do i put the rules for scanning for malware , block nudity etc only for the un-authenticated (non-proxy) traffic that has been forced backed from the ASA to MWG via WCCP on port 9099 as configured. Do I place those directly under the "Direct Proxy unauthenticated (WCCP) and maybe put a stop cycle so it doesnt process further down to other rules ?
Please see attached image, When we configure policy based routing on Switch, only http traffic ( tcp:80/443) will be routed to MWG. In this scenario, which mode is MWG deployed? and how to configure MWG ?