6 Replies Latest reply on Nov 8, 2011 4:23 PM by productivityenhancer

    Which Wccp Mode to use

      My web gateway is plugged into a Core Cisco 4510 L3 Switch along with the Clients. I do not want to configure the proxy settings on each client.


      What Wccp Mode to use that will suit my needs to be transparent to the clients and requires no client configurations?


      The firewall is also attached to the 4510.


      Thanks for the Help.

        • 1. Re: Which Wccp Mode to use


          when using WCCP you need no client configuratoin. Just note, integrated NTLM Authentication does not work as usual when using this implementation.


          If MWG is in the same network with the core router you can use WCCP and LE-rewrite method to redirect the packets. If MWG and your core router are not in the same network you must use IP-GRE.


          WCCP Config: It is important to exclude any internal traffic from wccp.


          Normally WCCP makes not troubles.




          • 2. Re: Which Wccp Mode to use

            What version of Web Gateway?


            You will want to use Proxy and WCCP setting. 


            I asume all your internet is going out the firewall.  This is where you will want to setup your WCCP redirection.  What model is the firewall?   You will want to move your Web Gateway into the same vlan/subnet that your firewall is on.

            • 3. Re: Which Wccp Mode to use

              While WCCP sounds like a panacea, I know some people dealing with some Cisco WCCP bugs that dearly wish they'd gone with an explicit deployment.


              If you have a domain, specifying proxy settings for all clients is pretty easy via group policy.  Or if you have control over your DNS server in a DHCP environment,  WPAD entries can be leveraged to point clients at your Proxy auto config (PAC) file.  There will always be some software out there that handles proxies badly, so a WCCP config as a backup is not a bad idea, but if you want to minimize drama in the long term, you may wish to rethink WCCP vs explicit a bit. 



              Good luck with it!

              • 4. Re: Which Wccp Mode to use

                We also use Explicit Mode when need be.  This can easily be done by telling the browser the IP and port of the proxy. This results in slower web browsing though.  We have tested many different computers and they all browse slower than our WCCP setup.  We used WPAD and PAC files also and they are a hassle and difficult to configure for failover.


                WCCP is the way to go.  Works great and failover between 2 web gateways is seemless. 

                • 5. Re: Which Wccp Mode to use

                  @Regis: You are absolutely right. I also use WCCP as a second posibility. Normaly WCCP works great, but in many cases an explicit proxy make less headache.


                  WCCP pros:

                  • No client Configuration needed.
                  • No configuration on client needed when using streaming (mms/rtsp/rtmp) or messaging
                  • Load balancing, weight calculation when different appliances are uses, fail over are included in wccp.


                  WCCP contra:

                  • integrated authentication like NTLM is not possible, because there is not proxy 407 response. Some vendors are using some tricks like faking a origin server, but this is not RFC complliant.
                  • If you want to build policies based on usernames/usergroups you have to do additional doings
                  • troubleshooting is sometimes not so easy


                  My opinion is to make a mixed envirionment based on your technical needs. Even you are using explicit proxy systems and transparent proxy systems you can fit them together to one managed cluster with one corporate policy. (MWG 7.x)




                  • 6. Re: Which Wccp Mode to use

                    Using WCCP here.    Performance is fast, and the worst case scenario is if a box goes down, your internet traffic is unfiltered.  We do use GPO to push out the certificate for SSL.  We assume IE, FF, and Chrome, which the only manual configuration would be for FF to import the cert. 


                    Integrated NTLM auth is not possible when using WCCP?