We are getting ready to implement a new BlueCoat SG-250 web proxy appliance on our network, but I'm not sure of the best place to put it in relation to my firewall. One of the network admins in my shop thinks that we should connect it to an additional interface on our perimeter router which is just in front of the firewall. We can then configure WCCP on the router to pass web traffic to the proxy and eliminate an "inline" configuration that would cause users not to be able to surf the net in case the proxy was down.
However, we can accomplish the same with the Cisco ASA firewall that we have in place that supports WCCP as well. My thinking is that we can connect it to one of the DMZ interfaces and use WCCP to accomplish the same thing.
Another one of network admins in the shop suggested connecting it to the core switch and using WCCP there, with the idea that you can eliminate a lot of traffic hitting the perimeter router and firewall.
Any opinions as the best and most secure way of implementing a proxy in this environment?