Scribd Logo
Upload

Welcome to Scribd!

  • Source - BlueCoat Management and Configuration Guide Version 3

    Uploaded by

    itandroid
    40 views1 page
    Bluecoat

    Original Title

    Source _ BlueCoat Management and Configuration Guide version 3

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Bluecoat

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    40 views1 page

    Source - BlueCoat Management and Configuration Guide Version 3

    Uploaded by

    itandroid
    Bluecoat

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    Source : BlueCoat 

    Management and Configuration Guide version 3.x.x.


     
    Goal: How to configure Transparent Proxy on BC 3.x.x
     
    Transparent Proxies
    To use transparent proxy, you must:
    • Configure the network to redirect client requests.
    • Create a transparent proxy service
     
    Configuring the Transparent Proxy Hardware
    For transparent proxy to work, you must use one of the following:
    • ProxySG Pass-Through card
    • ProxySG software bridge
    • Layer-4 switch
    • WCCP
     
    Setting up the Pass-Through Card for Hardware Bridging
    The Blue Coat Systems Pass-Through card is a device that enables a bridge, using its two interface
    cards, so that packets can be forwarded across it. However, if the system crashes, the Pass-Through
    card becomes a network: the two Ethernet cables are connected so that traffic can continue to pass
    through without restriction.
    Configure a transparent service on the bridge's IP address just like for any other IP address, and it
    intercepts traffic as usual.
    The differences are:
    • Forwards traffic: it does not intercept without enabling global IP packet forwarding.
    • Proxies for requests on either interface card, so if you have connected one side of the bridge to
    your Internet connection, you must be careful.
     
     
    Setting up the ProxySG for Software Bridging
    Blue Coat Systems supports a software or dynamic bridge that is constructed using a set of installed
    interface cards. Keep in mind the following about software bridges:
    • The adapters must of the same type. Although the software does not restrict you from configuring
    bridges with adapters of different types (10/100 or GIGE), the resultant behavior is unpredictable.
    • IP addresses—If any of the interface ports to be added to the bridge already have IP addresses
    assigned to them, those IP addresses must be removed.
     
     
     
    Setting up a Layer-4 Switch for Transparent Proxy
    In Transparent Proxy Acceleration, as traffic is sent to the origin server, any traffic sent on TCP port 80
    is redirected to the ProxySG Appliances by the Layer 4 switch. The benefits to using a Layer 4 switch
    include:
    • Built-in failover protection. In a multi-ProxySG setup, if one ProxySG fails, the Layer 4 switch can
    route to the next ProxySG.
    • Request partitioning based on IP address instead of on HTTP transparent proxying. (This feature
    is not available on all Layer 4 switches.)
    • ProxySG bypass prevention. You can configure a Layer 4 device to always go through the Blue
    Coat Systems ProxySG machine even for requests to a specific IP address.
    • ProxySG bypass enabling. You can configure a Layer 4 device to never go through the ProxySG.
    The following are very generic directions for configuring transparent proxy using a Layer 4 switch
    and ProxySG Appliances. The steps to perform depend on the brand of Layer 4 switch. Refer to the
    Layer 4 switch manufacturer’s documentation for details.
     
     
    To set up transparent proxy using a Layer-4 switch and ProxySG:
    From the Layer 4 switch:
    1. Configure the Layer 4 switch according to the manufacturer's instructions.
    2. Configure for global transparent cache switching (TCS). With global TCS, incoming traffic from all
    devices attached to all ports of the Layer-4 switch is redirected to the ProxySG. Assign an IP
    address, default gateway, and subnet mask to the Layer-4 switch.
    3. Configure TCS using a global policy, enabling redirection for all ports.
    4. Identify one or more ProxySG Appliances.
    5. Create a device server group.
    6. Apply the ProxySG name to the device group.
    7. Configure Ethernet interface 2.
    8. Disable the redirection policy for the port to which the ProxySG is connected.
    9. Configure Ethernet interface 4.
    10. Disable the redirection policy for the port to which the router is connected.
    11. (Optional) Configure the Layer-4 switch for server load balancing.
    12. Save the Layer-4 switch configuration.
    From the ProxySG, all you need to do is:
    • Define the appropriate IP configurations per the instructions in the Installation Guide that
    accompanied the ProxySG.
    • Test the new network configuration.
     
    Configuring WCCP for Transparent Proxy
    WCCP is a Cisco®-developed protocol that allows you to establish redirection of the traffic that flows
    through routers.
    The main benefits of using WCCP are:
    • Scalability—With no reconfiguration overhead, redirected traffic can be automatically distributed
    to up to 32 ProxySG Appliances.
    • Redirection safeguards—If no ProxySG Appliances are available, redirection stops and the router
    forwards traffic to the original destination address.
    For information on using WCCP with a Blue Coat Systems ProxySG see Appendix C: "Using WCCP"
    on page 615.
     
    IP Forwarding
    IP Forwarding is a special type of transparent proxy. The ProxySG is configured to act as a gateway.
    The gateway is configured so that if a packet is addressed to the gateway’s interface card, but not to its
    IP address, the packet is forwarded toward the final destination. (If IP forwarding is turned off, the
    packet is rejected as being mis-addressed).
    By default, IP forwarding is set to off (disabled) to maintain a secure network.
    To enable IP forwarding using the Management Console:
    1. Select Configuration>Network>Routing>Gateways.
    2. Select the Enable IP forwarding checkbox.
    3. Click Apply.
    To enable IP forwarding using the CLI:
    At the (config) command prompt, enter the following command:
    SGOS#(config)tcp-ip ip-forwarding enable
    When upgrading to SGOS 2.x from CacheOS 4.x, the ProxySG retains the setting.
    Important: When IP forwarding is enabled, be aware that all ProxySG ports are open and all the
    traffic coming through them is not subjected to policy, with the exception of the ports
    explicitly defined (Configuration> Services>Service Ports).
     
     
    Creating a Transparent Proxy Service
    As noted earlier, Blue Coat Systems recommends that you ignore authentication until the proxy
    service is configured and running.
    The below example uses HTTP. Note that two HTTP services are already configured and enabled on
    SGOS 3.1.x.
    To create a transparent HTTP port service from the Management Console:
    1. Select Configuration>Services>Service Ports.
    2. Click New; the Add Service dialog appears.
    Figure 6-9: HTTP Add Service Dialog
    3. The default IP address value is all. To limit the service to a specific IP, select the IP from the
    drop-down list.
    4. In the Port field, specify a port number; select Enable.
    5. In the Protocol drop-down list, select HTTP.
    6. In the Attributes field, select Transparent.
    7. Click OK; Click Apply.
    To create a transparent HTTP port service through the CLI:
    At the (config) command prompt, enter the following commands:
    SGOS#(config)services
    SGOS#(config services)http
    SGOS#(config services http)create [ip_address:]port
    SGOS#(config services http)attribute transparent enable [ip_address:]port
    SGOS#(config services http)enable [ip_address:]port
    To view the results:
    SGOS#(config services http)view
    Port: 8080 IP: 0.0.0.0 Type: http
    Properties: explicit, enabled
    Port: 80 IP: 0.0.0.0 Type: http
    Properties: transparent, explicit, enabled

    You might also like