Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuring service groups in the Content Gateway manager
Help | Content Gateway | Version 8.1.x
Every WCCP service group that redirects traffic to a Content Gateway proxy must have a corresponding service group defined for it in the Content Gateway server or cluster.
To define service groups, go to Configure > Networking > WCCP.
a.
The Service Groups table displays the list of configured service groups and a subset of their configuration settings.
Entries are stored in the wccp.config file.
The Refresh button rereads wccp.config, refreshing the table.
To add, modify, delete, or reorder service groups, click Edit File.
b.
Synchronize in the Cluster: If Content Gateway is configured in a cluster, enable (default) or disable the Synchronize in the Cluster option. (The value of this option is always synchronized in the cluster.)
When this option is enabled, the WCCP configuration (stored in wccp.config) is synchronized in the cluster and configuration changes can be made on any node in the cluster.
When this option is disabled, the WCCP configuration is not synchronized in the cluster and changes to the WCCP configuration must be made individually on each node. A common use case for this is to control which service groups are enabled/disabled on each node, and/or to use proportional load distribution using weight.
If after being disabled this option is enabled, the configuration on the node on which the administrator enables the option is used to initially synchronize the cluster.
Caution: When Synchronize in the Cluster is disabled, you must visit each node in the cluster to examine and maintain your WCCP configuration. This can also make WCCP troubleshooting more difficult.
Configuring a service group (editing wccp.config)
1.
On Configure > Networking > WCCP, click Edit File to open wccp.config in the editor.
Defined service groups are summarized at the top of the page.
Click an entry in the list to view its complete details, modify, or reposition it.
When an entry is selected, the down and up arrows to the left of the list reposition the entry in the list.
Click "X" to delete a selected entry.
2.
a.
Service Group Status: To enable a service group, select Enabled. A service group can be defined but not active.
b.
Service Group Name: Specify a unique service group name. The service group name is an aid to administration.
c.
Service Group ID: Specify a WCCP service group identification number from 0-255. This ID must match a corresponding service group ID configured on the router. See Configuring service groups on the WCCP device.
d.
Protocol: Specify the network protocol applicable to the service group, either TCP or UDP.
e.
Ports: Specify the ports that this service group will use. You can specify up to 8 ports in a comma-separated list.
 
Important 
f.
Network Interface: From the drop down list, select the network interface on the Content Gateway host system that this service group will use.
3.
The Packet Forward Method determines how traffic is transmitted from the WCCP router to the proxy.
The Packet Return Method specifies the method used to return traffic back to the WCCP router.
Typically the router supports only one method.
Typically, the forward and return methods match.
a.
If traffic is routed to the proxy by a Cisco ASA firewall, in the Special Device Profile drop down box select ASA Firewall. When this option is selected, GRE is automatically selected for both Packet Forward Method and Packet Return Method. These settings cannot be changed.
b.
If traffic is routed to the proxy by a router or switch, select the Packet Forward Method and Packet Return Method that matches the capabilities and position of your router or switch.
If Content Gateway is configured with a Forward/Return method that the router does not support, the proxy negotiates the method supported by the router.
Packet Forward Method: Select L2 or GRE.
If L2 is selected, L2 is automatically selected as the return method (GRE is not an option).
 
Important 
If GRE is selected, for each router in the service group a unique Content Gateway tunnel endpoint IP address must be specified in the WCCP Routers section (see the Router Information step, below).
Packet Return Method: Select L2 or GRE.
 
Important 
 
Important 
4.
a.
Assignment Method: Specify the parameters used to distribute intercepted traffic among multiple nodes in a cluster. For a description of the WCCP load distribution feature, see WCCP load distribution.
HASH applies a hash operation to the selected distribution attributes.
*
*
MASK applies a mask operation to the selected distribution attribute.
*
*
The following distribution attributes can be selected:
*
*
*
*
The MASK value is applied up to 6 significant bits (in a cluster, a total of 64 buckets are created). See your WCCP documentation for more information about assignment method HASH and MASK operations. Use the value recommended in the manufacturer's documentation for your device.
b.
Weight: Only useful when Synchronize in the Cluster is disabled.
For proportional load distribution, specify a value from 0-255. The value determines the proportional distribution of load among servers in a cluster.
All cluster members have a value of 0 by default, which results in a balanced distribution of traffic. If weight is set to 1 or higher, the value guides proportional distribution among the nodes. For example, if there are 3 nodes in a cluster and Proxy1 has a weight of 20, Proxy2 has a weight of 10, and Proxy3 has a weight of 10, Proxy1 will get one half of the traffic, Proxy2 will get one-quarter of the traffic, and Proxy3 will get one-quarter of the traffic.
 
Important 
When the value of weight is greater than 0 on any member of the cluster, any member of the cluster with a weight of 0 receives no traffic. If you plan to use weight, be sure to set a weight on every member of the cluster.
Note 
Weight is only useful when Synchronize in the Cluster is disabled.
For more information about load distribution, see WCCP load distribution.
c.
Reverse Service Group ID: For IP spoofing. Allows you to specify a reserve service group ID.
When IP spoofing is enabled, you must define a reverse service group for each HTTP and HTTPS forward service group.
 
Note 
Using the specified ID, Content Gateway creates a reverse service group that is a mirror of the forward service group. For example, if the forward service group has assignment method based on destination IP address, the reverse service has an assignment method based on the source IP address.
 
Note 
5.
Note 
a.
Security: To use optional WCCP authentication, select Enabled and enter the same password used for service group authentication on the router. See Enabling WCCP v2 security on the router.
b.
Multicast: To run in multicast mode, select Enabled and enter the multicast IP address. The multicast IP address must match the multicast IP address specified on the router. See Transparent interception and multicast mode.
 
Important 
c.
WCCP Routers: Specify up to 10 WCCP Router IP Addresses. These routers must be configured with a corresponding service group.
If GRE is selected for Packet Forward Method, also specify a unique Local GRE Tunnel Endpoint IP address for each router (not required for ASA firewall), and optionally, a GRE Tunnel Next Hop Router IP Address.
The Local GRE Tunnel Endpoint IP address is the Content Gateway tunnel endpoint for the associated Router IP Address.
The Local GRE Tunnel Endpoint IP Address:
*
*
*
*
*
When GRE Packet Return Method is configured and Content Gateway does not have a route back to the WCCP router, specify a GRE Tunnel Next Hop Router IP Address. The IP address must be in IPv4 format.
You can use "ping" to test connectivity to the router.
*
*
If ping doesn't return a response, you need to define a GRE Tunnel Next Hop to that router. Intervening routers must have a route to the WCCP router, or a next hop.
 
Note 
WCCP routers that have multiple interfaces assign the Router ID to the interface with the highest numeric value IP address. Content Gateway must be able to connect to the router ID to negotiate the method. To ensure connectivity and that the router ID doesn't change unexpectedly, it is a best practice to make the router loopback address the highest IP address. This also ensures that traffic and statistics reported on the Monitor > Networking > WCCP page are reported against a known router ID.
6.
Click Add to add a new entry, or click Set to save changes to the selected entry.
7.
Click Apply and then Close to close the editor. Navigating away from the page before clicking Apply results in the loss of all changes.
8.
Restart the proxy to cause the changes to take effect. Go to Configure > My Proxy > Basic > General and click Restart.
 
Note 
To check that the router is sending traffic to the proxy, examine the statistics in the Content Gateway manager Monitor pane. For example, check that the Objects Served statistic in the My Proxy > Summary section increases.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2016 Forcepoint LLC. All rights reserved.