Goal: How to configure Transparent Proxy on BC 3.x.x
Transparent Proxies To use transparent proxy, you must: • Configure the network to redirect client requests. • Create a transparent proxy service
Configuring the Transparent Proxy Hardware For transparent proxy to work, you must use one of the following: • ProxySG Pass-Through card • ProxySG software bridge • Layer-4 switch • WCCP
Setting up the Pass-Through Card for Hardware Bridging The Blue Coat Systems Pass-Through card is a device that enables a bridge, using its two interface cards, so that packets can be forwarded across it. However, if the system crashes, the Pass-Through card becomes a network: the two Ethernet cables are connected so that traffic can continue to pass through without restriction. Configure a transparent service on the bridge's IP address just like for any other IP address, and it intercepts traffic as usual. The differences are: • Forwards traffic: it does not intercept without enabling global IP packet forwarding. • Proxies for requests on either interface card, so if you have connected one side of the bridge to your Internet connection, you must be careful.
Setting up the ProxySG for Software Bridging Blue Coat Systems supports a software or dynamic bridge that is constructed using a set of installed interface cards. Keep in mind the following about software bridges: • The adapters must of the same type. Although the software does not restrict you from configuring bridges with adapters of different types (10/100 or GIGE), the resultant behavior is unpredictable. • IP addresses—If any of the interface ports to be added to the bridge already have IP addresses assigned to them, those IP addresses must be removed.
Setting up a Layer-4 Switch for Transparent Proxy In Transparent Proxy Acceleration, as traffic is sent to the origin server, any traffic sent on TCP port 80 is redirected to the ProxySG Appliances by the Layer 4 switch. The benefits to using a Layer 4 switch include: • Built-in failover protection. In a multi-ProxySG setup, if one ProxySG fails, the Layer 4 switch can route to the next ProxySG. • Request partitioning based on IP address instead of on HTTP transparent proxying. (This feature is not available on all Layer 4 switches.) • ProxySG bypass prevention. You can configure a Layer 4 device to always go through the Blue Coat Systems ProxySG machine even for requests to a specific IP address. • ProxySG bypass enabling. You can configure a Layer 4 device to never go through the ProxySG. The following are very generic directions for configuring transparent proxy using a Layer 4 switch and ProxySG Appliances. The steps to perform depend on the brand of Layer 4 switch. Refer to the Layer 4 switch manufacturer’s documentation for details.
To set up transparent proxy using a Layer-4 switch and ProxySG: From the Layer 4 switch: 1. Configure the Layer 4 switch according to the manufacturer's instructions. 2. Configure for global transparent cache switching (TCS). With global TCS, incoming traffic from all devices attached to all ports of the Layer-4 switch is redirected to the ProxySG. Assign an IP address, default gateway, and subnet mask to the Layer-4 switch. 3. Configure TCS using a global policy, enabling redirection for all ports. 4. Identify one or more ProxySG Appliances. 5. Create a device server group. 6. Apply the ProxySG name to the device group. 7. Configure Ethernet interface 2. 8. Disable the redirection policy for the port to which the ProxySG is connected. 9. Configure Ethernet interface 4. 10. Disable the redirection policy for the port to which the router is connected. 11. (Optional) Configure the Layer-4 switch for server load balancing. 12. Save the Layer-4 switch configuration. From the ProxySG, all you need to do is: • Define the appropriate IP configurations per the instructions in the Installation Guide that accompanied the ProxySG. • Test the new network configuration.
Configuring WCCP for Transparent Proxy WCCP is a Cisco®-developed protocol that allows you to establish redirection of the traffic that flows through routers. The main benefits of using WCCP are: • Scalability—With no reconfiguration overhead, redirected traffic can be automatically distributed to up to 32 ProxySG Appliances. • Redirection safeguards—If no ProxySG Appliances are available, redirection stops and the router forwards traffic to the original destination address. For information on using WCCP with a Blue Coat Systems ProxySG see Appendix C: "Using WCCP" on page 615.
IP Forwarding IP Forwarding is a special type of transparent proxy. The ProxySG is configured to act as a gateway. The gateway is configured so that if a packet is addressed to the gateway’s interface card, but not to its IP address, the packet is forwarded toward the final destination. (If IP forwarding is turned off, the packet is rejected as being mis-addressed). By default, IP forwarding is set to off (disabled) to maintain a secure network. To enable IP forwarding using the Management Console: 1. Select Configuration>Network>Routing>Gateways. 2. Select the Enable IP forwarding checkbox. 3. Click Apply. To enable IP forwarding using the CLI: At the (config) command prompt, enter the following command: SGOS#(config)tcp-ip ip-forwarding enable When upgrading to SGOS 2.x from CacheOS 4.x, the ProxySG retains the setting. Important: When IP forwarding is enabled, be aware that all ProxySG ports are open and all the traffic coming through them is not subjected to policy, with the exception of the ports explicitly defined (Configuration> Services>Service Ports).
Creating a Transparent Proxy Service As noted earlier, Blue Coat Systems recommends that you ignore authentication until the proxy service is configured and running. The below example uses HTTP. Note that two HTTP services are already configured and enabled on SGOS 3.1.x. To create a transparent HTTP port service from the Management Console: 1. Select Configuration>Services>Service Ports. 2. Click New; the Add Service dialog appears. Figure 6-9: HTTP Add Service Dialog 3. The default IP address value is all. To limit the service to a specific IP, select the IP from the drop-down list. 4. In the Port field, specify a port number; select Enable. 5. In the Protocol drop-down list, select HTTP. 6. In the Attributes field, select Transparent. 7. Click OK; Click Apply. To create a transparent HTTP port service through the CLI: At the (config) command prompt, enter the following commands: SGOS#(config)services SGOS#(config services)http SGOS#(config services http)create [ip_address:]port SGOS#(config services http)attribute transparent enable [ip_address:]port SGOS#(config services http)enable [ip_address:]port To view the results: SGOS#(config services http)view Port: 8080 IP: 0.0.0.0 Type: http Properties: explicit, enabled Port: 80 IP: 0.0.0.0 Type: http Properties: transparent, explicit, enabled