Configuring a service group (editing wccp.config)

Help | Content Gateway | v8.4.x

Open the file and define the service group

On the Configure > Networking > WCCP page, click Edit File to open wccp.config in the editor.

Defined service groups are summarized at the top of the page.

Click an entry in the list to view its complete details, modify, or reposition it.

When an entry is selected, the down and up arrows to the left of the list reposition the entry in the list.

Click X to delete a selected entry.

For each service group, enter the following information:

To enable a service group, set Service Group Status to Enabled. A service group can be defined but not active.

Specify a unique Service Group Name. The service group name is an aid to administration.

Specify a WCCP Service Group ID from 0-255. This ID must match a corresponding service group ID configured on the router. See Configuring service groups on the WCCP device.

Specify the network Protocol applicable to the service group (TCP or UDP).

Specify the Ports that this service group will use.

Select Specify ports to enter up to 8 ports in a comma-separated list.

Select All ports to redirect traffic from all ports.


	Important Every port in the service group must have a corresponding ARM redirection rule to redirect the traffic to Content Gateway. See The Content Gateway ARM.

From the drop down list, select the Network Interface on the Content Gateway host system that this service group will use.

Configure mode negotiation

The Packet Forward Method determines how traffic is transmitted from the WCCP router to the proxy.

The Packet Return Method specifies the method used to return traffic back to the WCCP router.


	Important If you change the forward/return method configuration while there is an active connection with the WCCP device, in order to re-negotiated the method you must force the current connection to terminate. Typically, this means turning off the service group on the WCCP device for 60 seconds. See the documentation for your WCCP device.


	Important If multiple proxies are installed in your environment, each with WCCP enabled, but configured with different Packet Forward and Packet Return Methods, traffic may not be processed. Some routers support only a single Packet Forward Method within a group and may forward packets to the other proxies using a method they do not support.

Typically the router supports only one method, and the forward and return methods match.

If traffic is routed to the proxy by a Cisco ASA firewall, in the Special Device Profile drop down box select ASA Firewall. When this option is selected, GRE is automatically selected for both Packet Forward Method and Packet Return Method. These settings cannot be changed.

If traffic is routed to the proxy by a router or switch, select the Packet Forward Method (L2 or GRE) and Packet Return Method that matches the capabilities and position of your router or switch.

If Content Gateway is configured with a Forward/Return method that the router does not support, the proxy negotiates the method supported by the router.

If L2 is selected, L2 is automatically selected as the return method (GRE is not an option).


	Important Selecting L2 requires that the router or switch be Layer 2-adjacent (in the same subnet) as Content Gateway.

If GRE is selected, for each router in the service group a unique Content Gateway tunnel endpoint IP address must be specified in the WCCP Routers section (see the "Provide router information" step, below).


	Important GRE cannot be used with WCCP multicast mode.


	Important GRE return, as documented by Cisco (see this site), is fully functional in all deployments. GRE enhanced tunnel return, in which the proxy forwards traffic back to the router, is also available. Contact Technical Support for info on how to enable the functionality.

Configure advanced settings

Use Assignment Method to specify the parameters used to distribute intercepted traffic among multiple nodes in a cluster. For a description of the WCCP load distribution feature, see WCCP load distribution.

HASH applies a hash operation to the selected distribution attributes.

With HASH, more than one distribution attribute can be selected.

The result of the hash operation determines the cluster member that receives the traffic.

MASK applies a mask operation to the selected distribution attribute.

Only one distribution attribute can be selected, typically the destination IP address.

The result of the mask operation determines the cluster member that receives the traffic.

The following distribution attributes can be selected:

Destination IP address

Destination Port

Source IP address

Source Port

The MASK value is applied up to 6 significant bits (in a cluster, a total of 64 buckets are created). See your WCCP documentation for more information about assignment method HASH and MASK operations. Use the value recommended in the manufacturer's documentation for your device.

For proportional load distribution, specify a weight value from 0-255. The value determines the proportional distribution of load among servers in a cluster.

Weight is only useful when Synchronize in the Cluster is disabled.

All cluster members have a value of 0 by default, which results in a balanced distribution of traffic.

If weight is set to 1 or higher, the value guides proportional distribution among the nodes.

For example, if there are 3 nodes in a cluster and Proxy1 has a weight of 20, Proxy2 has a weight of 10, and Proxy3 has a weight of 10, Proxy1 will get one half of the traffic, Proxy2 will get one-quarter of the traffic, and Proxy3 will get one-quarter of the traffic.


	Important When the value of weight is greater than 0 on any member of the cluster, any member of the cluster with a weight of 0 receives no traffic. If you plan to use weight, be sure to set a weight on every member of the cluster.

For more information about load distribution, see WCCP load distribution.

Specify a Reverse Service Group ID for IP spoofing.

When IP spoofing is enabled, you must define a reverse service group for each HTTP and HTTPS forward service group.


	Note Only HTTP and HTTPS are supported for IP Spoofing.

Using the specified ID, Content Gateway creates a reverse service group that is a mirror of the forward service group. For example, if the forward service group has assignment method based on destination IP address, the reverse service has an assignment method based on the source IP address.


	Note IP spoofing is not supported with service groups that use a hashing assignment method with both destination and source attributes. If IP spoofing is enabled on such a service group, an alarm is raised and IP spoofing is disabled.

Provide router information


	Note It may take up to a minute for the router to report that a new proxy server has joined a service group.

To use optional WCCP authentication, under Security, select Enabled and enter the same password used for service group authentication on the router. See Enabling WCCP v2 security on the router.

To run in multicast mode, under Multicast, select Enabled and enter the multicast IP address. The multicast IP address must match the multicast IP address specified on the router. See Transparent interception and multicast mode.


	Important GRE packet Forward/Return method cannot be used with multicast mode.

Under WCCP Routers, specify up to 10 Router IP Addresses. These routers must be configured with a corresponding service group.

If ASA_Firewall was selected as the Service Device Profile, enter both the router IP Address and the WCCP router ID, separated by /, in the Router IP Address column.

If GRE is selected for Packet Forward Method, also specify a unique Local GRE Tunnel Endpoint IP address for each router (not required for ASA firewall), and optionally, a GRE Tunnel Next Hop Router IP Address.

The Local GRE Tunnel Endpoint IP address is the Content Gateway tunnel endpoint for the associated Router IP Address.

The Local GRE Tunnel Endpoint IP Address:

Must be unique and not assigned to any device

Must be a routable IP address

Should reside on the same subnet as the proxy. If it is not, you must define a route for it.

Is not intended to be a client-facing proxy IP address

Is bound to the physical interface specified for the service group (on Forcepoint appliances use the CLI command "show interface info" to view the logical name to physical interface bindings)

When GRE Packet Return Method is configured and Content Gateway does not have a route back to the WCCP router, specify a GRE Tunnel Next Hop Router IP Address. The IP address must be in IPv4 format.

You can use "ping" to test connectivity to the router.

From Content Gateway, ping each router defined in the service group (in the Router IP Address field).

If ping doesn't return a response, you need to define a GRE Tunnel Next Hop to that router. Intervening routers must have a route to the WCCP router, or a next hop.


	Note WCCP routers that have multiple interfaces assign the Router ID to the interface with the highest numeric value IP address. Content Gateway must be able to connect to the router ID to negotiate the method. To ensure connectivity and that the router ID doesn't change unexpectedly, it is a best practice to make the router loopback address the highest IP address. This also ensures that traffic and statistics reported on the Monitor > Networking > WCCP page are reported against a known router ID.

Save your configuration changes

Click Add to add a new entry, or click Set to save changes to the selected entry.

Click Apply and then Close to close the editor. Navigating away from the page before clicking Apply results in the loss of all changes.

Restart the proxy to cause the changes to take effect. Navigate to the Configure > My Proxy > Basic > General tab and click Restart.


	Note To check that the router is sending traffic to the proxy, examine the statistics in the Content Gateway manager Monitor pane. For example, check that the Objects Served statistic in the My Proxy > Summary section increases.