Configuring WCCP

To enable integration between your Sophos Web Appliance and WCCP routers, use the Configuration > Network > WCCP page. Your deployment can be in either Transparent Mode or Bridged Mode.

  1. Enable WCCP on your routers. The web appliance will only process HTTP traffic that is directed to port 80 of external sites.
    Note When using WCCP with a router that supports the fast timers feature (Cisco firmware from later than 2012 or WCCP v2 rev1), you must disable the fast timers feature. To disable this on a Cisco router, use the command no ip wccp variable-timers.
  2. Toggle the WCCP integration button to the On position.
  3. Under Forwarding method, select GRE or L2.
    Important You must turn WCCP off on all appliances for a minimum of 30 seconds when you switch between the GRE and L2 forwarding methods.
    • For optimal performance, choose L2, if there are no routers between the WCCP router and the web appliance. (In this example, the IP address of interface is the WCCP Router IP address.)
    • You must choose GRE if your network has more than one router between the WCCP router and the web appliance, or if your network topology has specific hardware or firewall requirements. (In this example, the IP address of interface is the WCCP Router IP address.)
  4. Enter the IP addresses for your routers.
    • For routers using a multicast IP address, enter one IP address, and click Add.
    • For a router with unicast IP addresses, enter one IP address, and click Add. Do the same for each router.
    Important You should specify the IP address of the interface with the least number of hops to the web appliance.
  5. [Optional] Select Accept HTTPS redirection from WCCP router to allow HTTPS traffic to be forwarded.
    Note This option requires that there be two WCCP service groups on the selected router. The required groups are group 0 for HTTP, and group 70 for HTTPS.
  6. [Optional] Enter a password under Service group password to ensure the web appliance only accepts requests from authorized WCCP routers.
  7. Click Apply.
If the initial setup is successful, traffic will begin to flow through the web appliance. However, if the initial setup fails, the System Status will display a critical error after three minutes.
Note When a web appliance with an incompatible forwarding method attempts to join a WCCP service group, Cisco routers correctly detect that an unusable proxy has joined, but may not update the router’s record. To correct this, you must disable WCCP on the router, and then re-enable it, clearing the list of known routers.