WCCP

Note: The WCCP configuration options appear on the Configure pane only if you have enabled WCCP in the Features table on the Configure > My Proxy > Basic > General tab.

The options defined in the wccp.config configuration file control the use of WCCP with Content Gateway. Entries should be defined and maintained using the editor provided on Configure > Networking > WCCP.

Administrators should have a good working knowledge of WCCP. Only WCCP v2 is supported.

It is recommended that you consult the documentation and the manufacturer’s support site for information regarding optimal configuration and performance of your

WCCP v2 device. Most devices should be configured to take best advantage of hardware-based redirection. With Cisco devices, the most recent version of IOS is usually best.

For every active WCCP service group, there must be a corresponding ARM redirection rule. See ARM.

For a complete description of Content Gateway support for WCCP v2, see Transparent interception with WCCP v2 devices.

Option Description
WCCP Service Groups Displays a table of the service groups defined in the wccp.config file. WCCP service group configuration defines WCCP behavior. Column fields are explained in the Configuration Editor entries below.
Refresh Refreshes the table to display the current definitions in the wccp.config file.
Edit File Opens wccp.config in the configuration file editor.
Synchronize in the Cluster

When there are several Content Gateway nodes in a cluster:

Enable this option to cause the WCCP configuration (wccp.config) to be synchronized in the cluster. This allows configuration changes to be made on any node in the cluster.

Disable this option to cause the WCCP configuration to not be synchronized in the cluster. This requires that changes to the WCCP configuration be made individually on each node. A common use case for this is to control which service groups are enabled/ disabled on each node, and to use proportional load distribution with weight.

If after being disabled this option is enabled, the configuration on the node on which the option is enabled is used to initially synchronize the cluster.

  wccp.config Configuration File Editor
Service group display box

Lists the WCCP service group definitions. Select an entry in the list to edit it.

Use the “X” button to delete the selection.

List order has no meaning; therefore, the up and down arrows can be ignored.

Add Adds a new service group definition. After Add is clicked, the new definition is displayed in the box at the top of the page.
Set Accepts modifications to the selected service group definition, displaying the new values in the box at the top of the page.
  Service Group Information
Service Group Status

Enables or disables the service group.

If you change this option, you must restart Content Gateway.

Service Group Name Specifies a unique service group name. This is as an aid to administration.
Service Group ID

Specifies a service group ID between 0-255. This ID must also be configured on the router(s).

If the specified number is already in use, an error is displayed when Add or Set is clicked.

Protocol Specifies the protocol, TCP or UDP, that applies to this service group.
Ports

Specifies the ports the service group will use.

Specify ports can be used to list up to 8 ports in a comma-separated list.

All ports can be selected to redirect traffic from all ports.

Network Interface Specifies the Ethernet interface on this Content Gateway host system to use with this service group. On Forcepoint appliances, use the CLI command ‘show interface info’ to view the logical name to physical interface bindings.
  Mode Negotiation
Special Device Profile Select ASA Firewall to specify that traffic is routed to the proxy by a Cisco ASA firewall. When this option is selected, GRE is automatically selected as the Packet Forward Method and Packet Return Method. These settings are required and cannot be changed.
Packet Forward Method

Specifies the preferred encapsulation method used by the WCCP router to transmit intercepted traffic to the proxy. If the router supports GRE and L2, the method specified here is used.

Important:

GRE and Multicast are incompatible.

If you change the forward or return method configuration while there is an active connection with the WCCP device, in order to re- negotiated the method you must force the current connection to terminate. Typically, this means turning off the service group on the WCCP device for 60 seconds. See the documentation for your WCCP device.

Packet Return Method

Specifies the preferred packet encapsulation method used to return rejected or declined traffic to the WCCP router.

Note:

If Content Gateway is configured with a Forward/Return method that the router does not support, the proxy attempts to negotiate a method supported by the router.

Selecting L2 requires that the router or switch be Layer 2-adjacent (in the same subnet) as Content Gateway.

  Advanced Settings
Assignment Method

Specifies the method that the router will use to distribute intercepted traffic across multiple proxy servers. Choices are HASH and MASK.

The MASK value is applied up to 6 significant bits (in a cluster, a total of 64 buckets are created).

See your WCCP documentation for more information about assignment method. Use the value recommended in the manufacturer’s documentation for your device.

Distribution attribute(s)

Specifies the attribute that the assignment method uses to determine which requests are distributed to which proxy servers.

If the assignment method is HASH, select one or more distribution attributes.

If the assignment method is MASK, select one distribution attribute.

Weight

This option is only useful when Synchronize in the Cluster is disabled.

Specifies the distribution of requests to servers in a cluster by proportional weighting. Set weight to a value that is the desired proportion of the total flow of traffic.

When all cluster members have a value of 0 (the default), distribution is equal. If any member has a non-zero value, distribution is proportional, relative to the weight values of other members. Members that continue to have a value of zero, receive no traffic.

See WCCP load distribution.

Reverse Service Group ID

For use when IP spoofing is enabled.

When IP spoofing is enabled, the proxy advertises a reverse service group for each enabled WCCP forward service group. The reverse service group must be applied along the return path of origin server responses to the proxy.

  Router Information
Security (optional)

Enables or disables security so that the router and Content Gateway can authenticate each other.

If you enable security in Content Gateway, you must also enable security on the router. See your router documentation.

If you change this option, you must restart Content Gateway.

Security:Password

Specifies the password used for authentication. The password must be the same password as that configured on the router for the associated service group ID and can be a maximum of eight characters long.

If you change this option, you must restart Content Gateway.

Multicast (optional)

Enables or disables WCCP multicast mode.

Important: Cannot be used with GRE packet Forward/Return method.

If you change this option, you must restart Content Gateway.

Multicast: IP Address

Specifies the multicast IP address.

If you change this option, you must restart Content Gateway.

WCCP Routers: Router IP Address

Specifies the IP addresses of up to 10 WCCP v2-enabled routers.

If ASA_Firewall was selected as the Service Device Profile, entries should include both the router IP Address and the WCCP router ID, separated by /.

A total of 24 WCCP routers across all service groups is supported if the Packet Forward Method or Packet Return Method is GRE. An IP address for the local GRE tunnel endpoint for each router must also be provided.

If you change this option, you must restart Content Gateway.

WCCP Routers: Local GRE Tunnel Endpoint IP Address

If GRE is selected for Packet Return Method, also specify Local GRE Tunnel Endpoint IP Addresses, except when the device is an ASA firewall.

These are Content Gateway tunnel endpoints for the associated Router IP Addresses.

A Local GRE Tunnel Endpoint IP Address:

  • Must be unique for every router in the table
  • Must not be assigned to any other device
  • Must be a routable IP address
  • Should reside on the same subnet as the proxy. If it is not, you must define a route for it.
  • Is not intended to be a client-facing proxy IP address
  • Is bound to the physical interface specified for the service group (on Forcepoint appliances, use the CLI command ‘show interface info’ to view the logical name to physical interface bindings.
WCCP Routers: GRE Tunnel Next Hop Router IP Address Specify a GRE Tunnel Next Hop Router IP Address (must be in IPv4 format) when GRE Packet Return Method is configured and Content Gateway does not have a route back to the WCCP router. You can use “ping” to test connectivity to the router.