Forum Discussion

Ryan_34424's avatar
Ryan_34424
Icon for Altostratus rankAltostratus
Dec 04, 2012

BIG IP LTM, Bluecoat, WCCP... oh my.

Here's an interesting one. I'm fairly new to F5 and the BIG IP LTM series, so everything on this thing is a learning process. I've been able to move past all prior issues (virtual server forwarding, iRules, monitors, etc) as I have a PhD in RTFM... however this one has me for a loop and no amount of RTFM'ing seems to be getting me anywhere. It involves introducing an F5 BIG IP LTM into a mix of Bluecoat SG proxies, routers, and WCCP.

 

With our current environment, we have a router that sees all egress traffic. It has a WCCP communication path with the three Bluecoat Proxies. The router grabs all necessary protocols, and encapsulates it via WCCP and sends to the Bluecoat proxies. Which proxy is used is dependent on the router configuration and which device is currently able to participate. It does not have a way of distributing this traffic... it's strictly failover. You know, without getting into ACLs and all that garbage.

 

This is where the LTM comes into play. What I would like to have in addition to the fault tolerance, is the ability to distribute load across the proxies.

 

I'm running into problems when it comes to how this would work. Some of the questions I have:

 

Does the LTM terminate the WCCP session with the router and then distribute the contents via virtual server?

 

How does that play into the transparency since the destination is something on the Internet and not the proxy itself?

 

Tons-o-questions really...

 

Does anybody have any experience in doing so or pointers on where I should look for more information? Any info really appreciated...

 

Thanks,

 

-RG

 

basic
getting started
new to f5
  • Charles_16084's avatar
    Charles_16084
    Icon for Nimbostratus rankNimbostratus
    Jan 25, 2013
    Did you every get an answer to this? We are looking to do the same thing but aren't sure exactly how this should be configured on the LTM. We already have a VS configured on port 8080 that load balances the proxy servers.
  • Ryan77777's avatar
    Ryan77777
    Icon for Altocumulus rankAltocumulus
    Jan 25, 2013
    Negative. I contacted F5 support also (active maintenance contract), but the engineer was zero help. After 10-15 tries of explaining what I was trying to do, he finally came to the realization that he didn't know enough about WCCP to have the discussion, and that I should contact another engineer. Not sure why I have to contact another engineer, he should just escalate. Anyway, I haven't had the time to follow-up and the response kind of turned me off to their support, so I haven't been that aggressive with it. Poor experience for first attempt at support with F5.
  • Nate_ƒlagg's avatar
    Nate_ƒlagg
    Icon for Employee rankEmployee
    Feb 07, 2013

    I haven't tested this personally but here's my 2 cents:

     

    > Does the LTM terminate the WCCP session with the router and then distribute the contents via virtual server?

     

    Yes, for instance. one way to do this is to create a VS any:80 with snatpool and no port or address translation -> pool of proxies

     

    > How does that play into the transparency since the destination is something on the Internet and not the proxy itself?

     

    The 'no port or address translation' means the destination IP won't change. You can remove the snatpool if you don't want the source IP changed.

     

    This documentation below is labelled WOM but in Big-IP 11.2.0 and up, WCCP is available to LTM-only licensed units also.

     

    Configuring WCCPv2 Redirection - http://support.f5.com/kb/en-us/prod...r=27181397

     

  • Ryan77777's avatar
    Ryan77777
    Icon for Altocumulus rankAltocumulus
    Feb 07, 2013
    Nathan,

     

     

    I'm obviously not familiar with your level of experience with WCCP, so forgive me if I'm stating things you already know. But with WCCP (minus the F5), the router is creating a GRE tunnel with EACH proxy and determines which proxy it needs to send the Internet traffic over via ACL and within regards to which proxy is available within the WCCP cluster. If I were to just forward this GRE information to a VS, it's not going to be able to maintain the tunnel appropriately. Or am I just not following what you're saying?

     

     

    -RG
  • Nate_ƒlagg's avatar
    Nate_ƒlagg
    Icon for Employee rankEmployee
    Feb 07, 2013

    The way I understand it (and I haven't set this up personally so take this with some skepticism) the tunnel is terminated between the router and the Big-IP. Packets arrive unencrpyted to the Big-IP as though the client sent it directly to the Big-IP as the Gateway. Thus, a port 80 VS needs to catch and forward the traffic. If it's going back to another proxy via a pool, it won't be using WCCP to get there on the back-end.

     

  • Ryan77777's avatar
    Ryan77777
    Icon for Altocumulus rankAltocumulus
    Feb 07, 2013
    I gotcha. So, the WCCP setup part seems straight-forward as I've enter those settings and established the session with the router. I have multiple VS's listening on 80 though. How would it know which VS to use? Or will the any:80 be used since it's the best match? I guess I can try it out...

     

     

    -RG
  • Nate_ƒlagg's avatar
    Nate_ƒlagg
    Icon for Employee rankEmployee
    Feb 07, 2013

    Right, 0.0.0.0/0:80 will catch any HTTP traffic not destined for a more specfic VS.

     

  • kmurphy_130520's avatar
    kmurphy_130520
    Icon for Nimbostratus rankNimbostratus
    Jul 24, 2014

    Did anyone have any success getting this to work? I have set up WCCP communication between F5 and the router, and can see that port 80 packets are arriving on the F5 via WCCP as expected. I also set up a standard VS for 0.0.0.0/0:80, which has a pool member that is a Websense proxy (same idea as BlueCoat).

     

    The problem is that no packets ever arrive at the Websense interface, which should be receiving packets forwarded by the F5 VS.

     

    Any ideas?