Provide router information

Note: It may take up to a minute for the router to report that a new proxy server has joined a service group.

Steps

  1. To use optional WCCP authentication, under Security, select Enabled and enter the same password used for service group authentication on the router. See Enabling WCCP v2 security on the router.
  2. To run in multicast mode, under Multicast, select Enabled and enter the multicast IP address. The multicast IP address must match the multicast IP address specified on the router. See Transparent interception and multicast mode.
    Important: GRE packet Forward/Return method cannot be used with multicast mode.
  3. Under WCCP Routers, specify up to 10 Router IP Addresses. These routers must be configured with a corresponding service group.

    If ASA_Firewall was selected as the Service Device Profile, enter both the router IP Address and the WCCP router ID, separated by /, in the Router IP Address column.

    If GRE is selected for Packet Forward Method, also specify a unique Local GRE Tunnel Endpoint IP address for each router (not required for ASA firewall), and optionally, a GRE Tunnel Next Hop Router IP Address.

    The Local GRE Tunnel Endpoint IP address is the Content Gateway tunnel endpoint for the associated Router IP Address.

    The Local GRE Tunnel Endpoint IP Address:

    • Must be unique and not assigned to any device
    • Must be a routable IP address
    • Should reside on the same subnet as the proxy. If it is not, you must define a route for it.
    • Is not intended to be a client-facing proxy IP address
    • Is bound to the physical interface specified for the service group (on Forcepoint appliances use the CLI command “show interface info” to view the logical name to physical interface bindings)

    When GRE Packet Return Method is configured and Content Gateway does not have a route back to the WCCP router, specify a GRE Tunnel Next Hop Router IP Address. The IP address must be in IPv4 format.

    You can use “ping” to test connectivity to the router.

    • From Content Gateway, ping each router defined in the service group (in the Router IP Address field).
    • If ping doesn’t return a response, you need to define a GRE Tunnel Next Hop to that router. Intervening routers must have a route to the WCCP router, or a next hop.
    Note: WCCP routers that have multiple interfaces assign the Router ID to the interface with the highest numeric value IP address. Content Gateway must be able to connect to the router ID to negotiate the method. To ensure connectivity and that the router ID doesn’t change unexpectedly, it is a best practice to make the router loopback address the highest IP address. This also ensures that traffic and statistics reported on the Monitor > Networking > WCCP page are reported against a known router ID.