Solved

When the web proxy was deployed using WCCP, on Production datacenter and Redundancy datacenter, how can I set up an automatic or semi-automatic method for fail-over and fail-back?

Posted on 2016-10-13
7
37 Views
Last Modified: 2016-11-07
Hello team,

Now days we have deployed our organizational web proxy as explicit proxy.

Datacenter side:
We have two datacenters, one for production and one for redundancy. We have one web proxy on each datacenter. All users go to Internet through on proxy at a time (i.e. production web proxy in normal conditions).
Our core switch of the production DC is a Cisco Nexus 7000, and of the redundancy DC is a Cisco Catalyst 4500.
At mid days of november we will upgrade the core switch of the redundancy DC to a Cisco Nexus 9000.
Both datacenters are geographically dispersed.

User side:
By Active Directory GPO, we have set the proxy configuration on IE using a DNS name (A register) for the proxy hostname. We also manage the exceptions and other browser settings by GPO.
All the offices (headquarters and branches) are connected to the datacenter through WAN links.
On each office we have a Cisco ISR Router for the WAN link.

Current fail-over and fail-back methods:
When the production web proxy got offline or have to enter into maintenance, we manually change the IP address of the A register of the web proxy on the DNS for the IP address of the redundancy web proxy. And then we force the DNS zone replication between all the domain controllers through the entire network.

What we're planning to do:
We're planning to deploy the organizational web proxy using WCCP, in order to make it a transparent proxy.

Our question:
Would you provide us with:
  1. Examples of how to set up an automatic or semi-automatic method for fail-over and fail-back compatible with our Cisco communication infrastructure; and,
  2. A pros-cons comparison between explicit proxy and and transparent proxy (WCCP).
Deployment-Diagram.jpg
0
Comment
Question by:usaroc82
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 41843934
You must use proxy.pac or DNS load balancing.
0
 

Author Comment

by:usaroc82
ID: 41843987
Hello gheist.

The problem we see when using PAC or WPAD files is that many desktop applications that take the proxy configuration from the IE does not understand or support PAC/WPAD file. So we got a lot of work doing like that.

As mentioned in my question we're moving to transparent proxy. At this time we have explicit proxy, and we use DNS for the fail over, and yes, it is pretty easy to do the fail-over and fail-back. So, what we need now is to know a method to do the fail-over and fail-back when using WCCP, considering that all the Internet Web traffic have to go through the production proxy (main DC), in normal conditions.
0
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points (awarded by participants)
ID: 41845107
most enterprises will use another management server that does this for you. F5 comes to mind immediately
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 
LVL 62

Assisted Solution

by:gheist
gheist earned 250 total points (awarded by participants)
ID: 41845244
All applications using wininet.dll (Internet explorer settings) perfectly support WPAD and PAC
Problem applications are those which do not support any kind of javascript, there DNS balancing (well just multiple IPs for same host name) should perfrom better.
There are applications which will never fail over, here you can calculate F5 cost vs gain of them having 24x7 net connection.
0
 

Author Comment

by:usaroc82
ID: 41846122
Hello team. Maybe I have not been clear. Our two web proxies (the one in the production datacenter and the one on the redundancy datacenter) are deployed in explicit mode. We are going to deploy those two web proxies in transparent mode (by using WCCP) because we have been required to, not for getting a fail-over method, we already have a fail-over and a fail-back method (DNS round robin) in explicit mode.

As we will have our two web proxies deployed by using WCCP, we need to know how to force all the web traffic coming from all the offices (please check the attached diagram) to go to Internet through the production proxy alone, and having that, we need to know feasible methods for fail-over and fail-back between datacenters, regarding the transparent proxy.
0
 
LVL 62

Accepted Solution

by:
gheist earned 250 total points (awarded by participants)
ID: 41848885
Fallback from transparent proxy is bypass...
0
 
LVL 62

Expert Comment

by:gheist
ID: 41876848
Thats all options. If bypass is not an option then PAC/WPAD should be good approximation of 'transparent'
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question