Interception Caching, Transparent Proxying and Cache Redirection With ERS 8600

[superbaim]

i'm new to the forum.
I wanna try a interception caching or transparent proxy, so all traffic 80 or to the internet all redirect to my proxy server port which is using squid. so user dont have to configure proxy setting in brower.

for example i want to redirect original came from vlan 2 ( 192.168.2.0/24 ) and vlan 3 ( 192.168.3.0/24 ) to my squid server 172.16.5.2 port 3128

how i can achieve this using ers 8600 ?

thx

[Michael McNamara]

It can be done but it's really not advisable. It would be better if you put the proxy server in-line with the data. It will act as a Layer 2 bridge for the traffic it doesn't care about and it will proxy (transparently) the data on the various ports it's configured with.

Cheers!

[superbaim]

It can be done but it's really not advisable. It would be better if you put the proxy server in-line with the data. It will act as a Layer 2 bridge for the traffic it doesn't care about and it will proxy (transparently) the data on the various ports it's configured with.

Cheers!

Can You Elaborate me more where do i put my proxy ?

[Michael McNamara]

In this specific case take a Blue Coat ProxySG appliance and you can put it in-line with your Internet traffic.

{SWITCH} <---> {PROXY} <----> {ROUTER} <----> (INTERNET)

In this design all traffic must pass through the proxy server since it's physically in-line just in front of your Internet router or firewall.

[MisterAG]

Forgive my ignorance of the BlueCoat appliance, but what happens if the appliance reboots, or loses power? Are the NICs in it able to do passive bridging of the data, or will you essentially lost connection to your router (and upstream network) if the Bluecoat goes down?

[Michael McNamara]

Forgive my ignorance of the BlueCoat appliance, but what happens if the appliance reboots, or loses power? Are the NICs in it able to do passive bridging of the data, or will you essentially lost connection to your router (and upstream network) if the Bluecoat goes down?

There are solutions that fail open (passive bridging cards) in a power fail scenario, you could also deploy two of them in-line and run STP/RSTP to block the loop.

Cheers!

[stauftm]

I had a similar scenario, at one time we used a proxy for our means of web use. Instead of any 'inline' device or network modification I decided to use a script that modified the users Web Browser to force them to use the proxy. It was pretty easy in Group Policy for the Windows environment, as far as non-Windows i just used a login script to modify the proxy setting. I had to make this work on quite a few hosts, but in the end it was worth it to me. For the most part my core switch/router is just that – a core switch/router and that’s all I want it to do, I always attempt to filter my network at the edge first to keep the core clean.

Just my two cents.

Thanks,
Todd

[MisterAG]

We also run our web proxy off to the side. Unless all of your workstations are running in your Active Directory under group policy and IE8, you'll likely end up needing to use WPAD (Web Proxy Auto Detect).

You end up with a configuration file that is configurable that defines where your proxy server is, and for what destinations you use the proxy for.

For example, ours is configured to proxy all traffic that isn't destined for an RFC1918 address. If the proxy doesn't respond, try going directly out to the website.

[Michael McNamara]

I had a similar scenario, at one time we used a proxy for our means of web use. Instead of any 'inline' device or network modification I decided to use a script that modified the users Web Browser to force them to use the proxy. It was pretty easy in Group Policy for the Windows environment, as far as non-Windows i just used a login script to modify the proxy setting. I had to make this work on quite a few hosts, but in the end it was worth it to me. For the most part my core switch/router is just that – a core switch/router and that’s all I want it to do, I always attempt to filter my network at the edge first to keep the core clean.

Hi Todd,

This is an explicit proxy configuration where you explicitly configure the browser (another other Internet applications) with either the proxy server IP address and port or a PAC file.

As Todd alludes to you can certainly use Windows Active Directory Group Policy to configure the browser settings for Internet Explorer across your entire network.

Here's an example of the PAC file that I currently use;
http://blog.michaelfmcnamara.com/2008/08/blue-coat-proxysg-appliances-load-balancing-high-availability/

Cheers!