Are you wondering where you should put your Blue Coat [Packeteer] PacketShaper and your in-line proxy / cache in your network?

The PacketShaper should be as close to the router (or firewall) as possible. The proxy or cache (if it sits in-line) should sit on the LAN side of the PacketShaper.

INTERNET <-> ROUTER <-> FIREWALL <-> PACKETSHAPER <-> WEB CACHE/PROXY <-> LAN

Can the Shaper and Cache deployment be reversed?  Yes, but you will be shaping requests made to the cache.  There can be some advantages to this deployment if you are attempting to shape individual connections to the web.

I prefer the cache inside and to see all web connections originating from the proxy.

If your web cache/proxy [Blue Coat, Barracuda, Ironport, etc] supports WCCP v2, you can use your PacketShaper to hand off all port 80 requests to your web filter.   In this setup, you usually do not need your web proxy in-line any more.

For this article I use the terms web cache, web proxy and web filter interchangably — if you are using  a good one it is all of those things.

I have decided to repost an update to my WCCP config for ASA’s.  This example here will reroute only subnet 192.168.1.0/24 to the web cache.

#setup first access list to define the wccp server
#we will call this ACL “wccpserver”
#
access-list wccpserver extended permit ip host 192.168.42.42 any

#setup access list to define the subnets to be redirected and filtered 
#for this example we will call the access list “filter” and only define
#the subnet 192.168.1.0/24
#
access-list filter permit ip 192.168.1.0 0.255.255.255 any

access-list filter deny ip any any

# Setup wccp v2 with no passwords, redirecting the “filter” ACL
#to the wccp server defined in the ACL “wccpserver”.
#
wccp web-cache redirect-list filter group-list wccpserver
wccp interface inside web-cache redirect in

Disabling the attribute for Last Access Times is not a good idea for security or auditing.  But if you need to squeeze more performance out of a system, this is a way to do it.

http://technet.microsoft.com/en-us/library/cc758569.aspx

http://unixfoo.blogspot.com/2007/12/filesystem-noatime.html

########
# Setup WCCP version 2 on Cisco ASA firewall to a Web Filter (192.168.42.42)
#
#
# Create Access List called “wccpserver” for Web Filter
#
access-list wccpserver extended permit ip host 192.168.42.42 any

#
# Setup wccp v2 with no passwords,
# assumes all web traffic hitting internal interface will be rerouted
#
wccp web-cache group-list wccpserver
wccp interface inside web-cache redirect in
#
#########

And done. There are more WCCP option, but this should get you started.

Cisco’s documentation on WCCP (that fails to explain access lists) can be found here: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html#wp1094445

I am a security tech in the field.  I install firewalls, anti-spam, anti-virus, web content filtering any many other products.  I also like to tinker with my Linux and BSD servers.  The Internet is chock full of information, too bad a lot of it is not what I’m looking for.  I hope some of the information I post helps somebody along the way.  Comments, thank yous and corrections are greatly appreciated.