Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Redirecting Web Traffic Under WCCP

When implementing the explicit proxy mode on a Web Gateway appliance, you can configure the redirection of web traffic to Web Gateway under WCCP (Web Cache Communication Protocol). Use of this protocol considerably enhances the capabilities for load balancing and failover.

To enable redirection under WCCP, a suitable router must be placed between the client systems of the users in your network and the web. The router redirects requests for web access from the clients that are directed to particular ports to the Web Gateway appliance.

The router is also referred to as the WCCP device. Instead of a router, you can also use a switch as WCCP device.

On the appliance, you must configure a WCCP service. When configuring this service, you specify a service ID, the IP address of the router, the ports that requests are redirected from, and other information.

Multiple appliances can connect to the same router under WCCP for load balancing and failover. The appliances must be configured as nodes in a Central Management configuration and a WCCP service must be configured on each of them.

The redirection happens transparently, which means users are not aware that their requests are redirected.

When the response to a request is received from a web server, Web Gateway forwards it to the client, using (spoofing) the IP address of the web server.

To start working with the router, Web Gateway subscribes to it. The router is not aware of Web Gateway until the subscription happens. No settings must be configured on the router to inform it about Web Gateway.

Communication between Web Gateway and the router

Under WCCP, data packets are exchanged to subscribe, negotiate settings, and as health checks. Web Gateway sends a "Here I Am" packet to the router and forwards the configured settings. These settings include the ports for redirection, the ID of the WCCP service, the IP address that traffic should be redirected to, and other information.

The router acknowledges with an "I See You" packet that the subscription has been successful and includes the router ID, which is the highest interface IP address on the router.

If a router does not receive a "Here I Am" packet over more than 25 seconds, it sends a removal query, requesting that Web Gateway respond immediately. If no response is received within another 5 seconds, Web Gateway is considered offline and removed from the pool of WCCP partners.

Load balancing and failover

In a WCCP configuration with multiple Web Gateway appliances, the first appliance that connects to the router distributes workload to the other appliance. Portions of workload that are distributed are also known as "buckets" in WCCP terminology.

When an appliance goes offline or returns, buckets are immediately reassigned. If the appliance that is currently assigning buckets goes offline, another appliance takes over its role.

We do not recommend using WCCP when the router, client systems, or the Web Gateway appliances are separated by a device that uses the method known as source NATing to handle client traffic. This method impacts the performance of load balancing under WCCP. It also prevents you from configuring rules for user authentication based on time or client IP addresses.

Fail-open and fail-closed strategies

If use of the WCCP protocol is configured on the router and no Web Gateway appliance is available, the router lets requests for web access pass through without redirection. This behavior follows a strategy known as fail-open strategy.

If you have a firewall in your network, you must configure it to allow requests for web access with any source IP addresses to enable this strategy. Requests can then go out to the web directly.

Under a fail-close strategy, requests are blocked if no Web Gateway appliance is available to redirect them to. For this strategy to work, you must configure the firewall to allow only requests with source IP addresses belonging to Web Gateway.

Using WCCP only or as fallback solution

You can use the explicit proxy mode with WCCP as your only network mode solution, which means all web traffic is handled in this mode. You can also use it as a fallback solution for special use cases in an explicit proxy configuration, for example, to deal with applications that do not recognize proxy settings. Another use case would be handling web traffic in a Wi-Fi network segment where users can bring their own devices.

As best practice, we recommend using two different proxy ports. Configure one for handling web traffic in explicit proxy mode with WCCP, and one for handling it without WCCP. Following this practice allows you to use the property for proxy ports in the criteria of web security rules

  • Was this article helpful?