when using WCCP you need no client configuratoin. Just note, integrated NTLM Authentication does not work as usual when using this implementation.
If MWG is in the same network with the core router you can use WCCP and LE-rewrite method to redirect the packets. If MWG and your core router are not in the same network you must use IP-GRE.
WCCP Config: It is important to exclude any internal traffic from wccp.
Normally WCCP makes not troubles.
What version of Web Gateway?
You will want to use Proxy and WCCP setting.
I asume all your internet is going out the firewall. This is where you will want to setup your WCCP redirection. What model is the firewall? You will want to move your Web Gateway into the same vlan/subnet that your firewall is on.
While WCCP sounds like a panacea, I know some people dealing with some Cisco WCCP bugs that dearly wish they'd gone with an explicit deployment.
If you have a domain, specifying proxy settings for all clients is pretty easy via group policy. Or if you have control over your DNS server in a DHCP environment, WPAD entries can be leveraged to point clients at your Proxy auto config (PAC) file. There will always be some software out there that handles proxies badly, so a WCCP config as a backup is not a bad idea, but if you want to minimize drama in the long term, you may wish to rethink WCCP vs explicit a bit.
Good luck with it!
We also use Explicit Mode when need be. This can easily be done by telling the browser the IP and port of the proxy. This results in slower web browsing though. We have tested many different computers and they all browse slower than our WCCP setup. We used WPAD and PAC files also and they are a hassle and difficult to configure for failover.
WCCP is the way to go. Works great and failover between 2 web gateways is seemless.
@Regis: You are absolutely right. I also use WCCP as a second posibility. Normaly WCCP works great, but in many cases an explicit proxy make less headache.
- No client Configuration needed.
- No configuration on client needed when using streaming (mms/rtsp/rtmp) or messaging
- Load balancing, weight calculation when different appliances are uses, fail over are included in wccp.
- integrated authentication like NTLM is not possible, because there is not proxy 407 response. Some vendors are using some tricks like faking a origin server, but this is not RFC complliant.
- If you want to build policies based on usernames/usergroups you have to do additional doings
- troubleshooting is sometimes not so easy
My opinion is to make a mixed envirionment based on your technical needs. Even you are using explicit proxy systems and transparent proxy systems you can fit them together to one managed cluster with one corporate policy. (MWG 7.x)
Using WCCP here. Performance is fast, and the worst case scenario is if a box goes down, your internet traffic is unfiltered. We do use GPO to push out the certificate for SSL. We assume IE, FF, and Chrome, which the only manual configuration would be for FF to import the cert.
Integrated NTLM auth is not possible when using WCCP?