Cisco Cisco Web Security Appliance S360 User Guide
10-2
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 10 Working with External Proxies
Routing Traffic to Upstream Proxies
Figure 10-1
Routing Policies
When you define multiple external proxies in a proxy group, the Web Proxy can use load balancing
techniques to distribute requests to different proxies defined in the group. You can choose the following
load balancing techniques:
techniques to distribute requests to different proxies defined in the group. You can choose the following
load balancing techniques:
•
None (failover). The Web Proxy directs transactions to one external proxy in the group. It tries to
connect to the proxies in the order they are listed. If one proxy cannot be reached, the Web Proxy
attempts to connect to the next one in the list.
connect to the proxies in the order they are listed. If one proxy cannot be reached, the Web Proxy
attempts to connect to the next one in the list.
•
Fewest connections. The Web Proxy keeps track of how many active requests are with the different
proxies in the group and it directs a transaction to the proxy currently servicing the fewest number
of connections.
proxies in the group and it directs a transaction to the proxy currently servicing the fewest number
of connections.
•
Hash based. The Web Proxy uses a hash function to distribute requests to the proxies in the group.
The hash function uses the proxy ID and URL as inputs so that requests for the same URL are always
directed to the same external proxy.
The hash function uses the proxy ID and URL as inputs so that requests for the same URL are always
directed to the same external proxy.
•
Least recently used. The Web Proxy directs a transaction to the proxy that least recently received
a transaction if all proxies are currently active. This setting is similar to round robin except the Web
Proxy also takes into account transactions a proxy has received by being a member in a different
proxy group. That is, if a proxy is listed in multiple proxy groups, the “least recently used” option
is less likely to overburden that proxy.
a transaction if all proxies are currently active. This setting is similar to round robin except the Web
Proxy also takes into account transactions a proxy has received by being a member in a different
proxy group. That is, if a proxy is listed in multiple proxy groups, the “least recently used” option
is less likely to overburden that proxy.
•
Round robin. The Web Proxy cycles transactions equally among all proxies in the group in the
listed order.
listed order.
For information about creating Routing Policies, see
.
Note
If your network contains an upstream proxy that does not support FTP connections, then you must create
a Routing Policy that applies to all Identities and to just FTP requests. Configure that Routing Policy to
directly connect to FTP servers or to connect to a proxy group whose proxies all support FTP
connections.
a Routing Policy that applies to all Identities and to just FTP requests. Configure that Routing Policy to
directly connect to FTP servers or to connect to a proxy group whose proxies all support FTP
connections.
Accessing HTTPS Sites using Routing Policies with URL Category Membership
Criteria
Criteria
For transparently redirected HTTPS requests, the Web Proxy must contact the destination server to
determine the server name and therefore the URL category in which it belongs. Due to this, when the
Web Proxy evaluates Routing Policy Group membership, it cannot yet know the URL category of an
HTTPS request because it has not yet contacted the destination server. If the Web Proxy does not know
the URL category, it cannot match the transparent HTTPS request to a Routing Policy that uses a URL
category as membership criteria.
determine the server name and therefore the URL category in which it belongs. Due to this, when the
Web Proxy evaluates Routing Policy Group membership, it cannot yet know the URL category of an
HTTPS request because it has not yet contacted the destination server. If the Web Proxy does not know
the URL category, it cannot match the transparent HTTPS request to a Routing Policy that uses a URL
category as membership criteria.