Information Technology Reference
In-Depth Information
most common deployment option uses a single physical interface inserted in a firewalled
DMZ network segment. An alternative approach is to use two interfaces, one to send and
receive email traffic located in the DMZ and another interface connected to an inside net-
work to deliver mail to internal mail servers. With either approach, it is recommended to
use a static Network Address Translation (NAT) on the Internet firewall to translate the
public address into a private address located in the DMZ.
Cisco IronPort WSA
IronPort Web Security Appliances (WSA) are designed to monitor and mitigate abnormal
web traffic between users and the public Internet. The WSA acts as a web proxy for the
corporate users residing on the internal network segments and is logically placed in the
path between the users and the internet. There are three ways to implement the WSA, two
of which require internet browser customizations.
Ta ble 1 3 - 2 describes the Cisco IronPort WSA mode options.
Ta b l e 1 3 - 2
IronPort WSA Modes
Cisco IronPort WSA Mode
Description
Explicit mode with proxy auto-
configuration (PAC) files
Proxy information stores in PAC
Automatic download of PAC to browser using
DHCP/DNS
Supports redundancy; multiple WSAs listed in
PAC
Explicit mode without PAC files
Requires changes to every browser
Configuration of browser to point to the WSA
as its proxy
Does not support redundancy
Tran s parent mode w ith Web Cache
Communication Protocol (WCCP)
We b t r a f f i c t r a n s p a r e n t l y d i r e c t e d t o W S A u s i n g
WCCP redirec t ion
No changes to browser necessary
Requires configuration of WCCP enabled
FW/Router/L3 switch to point traffic to WSA
Supports load sharing and redundancy
It is recommended to use explicit mode with PAC files for testing and then transition to
WCCP for final implementat ion. The PAC file implementat ion is much eas ier to deploy
during testing than WCCP because you just need to modify the test browser proxy set-
tings, however the WCCP mode is much more elegant in the long run because you do not
need to modify all the users' browsers settings.
