Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 0 subscribers
  • Views 5263 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WCCP questions

Fire

Looking to reconfigure our Sophos Web appliances to use WCCP in an attempt load balance traffic but cannot find a answer to one important question. How is web traffic handled if a computer/user is unable to authenticate? If it is a guest computer/user, is there a way to route traffic that fails authentication to a guest service group? Currently the PAC files control how this traffic is routed and guests without a PAC file are routed to a Guest proxy. Our site network requirements are rather complicated and manually routing traffic by IP address would be rather painful.

I have reviewed the Sophos documentation and the Cisco documentation concerning "transparent" mode and WCCP without finding an answer to this question.

Thanks in advance for any advice or thoughts.

:2782


This thread was automatically locked due to age.
  • 0

    > How is web traffic handled if a computer/user is unable to authenticate?

    When an user fails to authenticate, the web appliance cannot determine the group membership information.  What would happen to the request?  That depends on how Group Policy is setup.

    In Configuration > Group Policy > Default Groups page, if the “Only the users/groups selected below” option is chosen, then only members of the groups under “Selected Entries” will be associated to the Default Policy.  Since membership cannot be determined, the request will be blocked.  User shall see a Blocked request: policy violation notification page.

    If the “All users/groups except those selected below” option is chosen, then only members of the groups under “Selected Entries” will not be associated to the Default Policy.  Since membership cannot be determined, the request will be processed further as per default policy.


    Additional Policy overrides the above.  That is, if a rule in the Additional Policy page would apply based on the originating IP address and the request, then the request will be processed further as per the matched rule.

    Group policy is independent from deployment mode, which is why our documentation for transparent mode and WCCP do not cover this topic.

    > If it is a guest computer/user, is there a way to route traffic
    > that fails authentication to a guest service group?

    By the time the user fails to authenticate, the request has already been routed to the web appliance.  Therefore, it is too late to re-route it to somewhere else.  The request will either be allowed/warned or blocked as per group policy.

    > Currently the PAC files control how this traffic is routed and
    > guests without a PAC file are routed to a Guest proxy.
    > Our site network requirements are rather complicated and
    > manually routing traffic by IP address would be rather painful.

    So, it sounds like you have multiple web appliances.  If so, you could potentially enable WCCP service on the router to
    (1) limit for which IP addresses the WCCP service will redirect port 80 traffic for, and
    (2) limit to which web appliances the WCCP service will route port 80 traffic to.

    Check out the redirect-list and group-list options in Cisco documentation for more information.

    Ideally, if you have control over what IP addresses will be assigned to your guest users, then using our custom group in our group policy to control browsing behaviour is an easier approach.

    Hope this helps.

    :2787
Unfiltered HTML