10-14-2010 05:58 PM
Hi All,
Infrastructure : Internet FW <--> IPS <--> Core SW
RA vpn users terminate on FW and currently split-tunneling is in place.
Adding a Bluecoat proxy in Transparant mode -main purpose is for intercepting 'https' requests from internal client for DLP (Data Loss prevention). Not intersted in Webfiltering. So the infrastructure after proxy...
Internet FW <--> IPS <--> Tranparant Proxy <--> Core SW
1. Is it better place to add the proxy?
2. Current proxy does not have enough ports to add FW DMZ inline. Is it normal practice to add DMZ (with servers, no user PCs) to Proxy?
3. Now if Split-tunneling is removed and force the VPN clients to use organization Internet, when the RA vpn users terminate on FW, does their internet
requests still pass thru proxy? If not how to make them pass thru proxy.
TIA
MS
Solved! Go to Solution.
10-16-2010 03:21 PM
Yes, you are absolutely right.
Easyvpn client connects to a different ASA would be even easier as far as routing is concern. On the ASA that provides the Internet connection, you just have to make sure that you have a route back towards core switch, and also NATing done for the easyvpn client ip pool subnet.
Let us know how it goes with the testing. Thanks.
10-14-2010 06:25 PM
You might need to design the transparent proxy solution with Bluecoat to confirm how it will actually work out as a solution.
Things that you may want to check out is:
- Which device will be redirecting the web traffic towards BlueCoat?
- Is the device performing redirection supports the transparent proxy solution that BlueCoat supports? I guess it would be WCCP to redirect the traffic to BlueCoat, right?
- It would be best that the BlueCoat proxy server is on its own DMZ, however, there are a few things that you have to look out. You need to check if the network infrastructure that you have supports that capability. However, I have seen my company that has BlueCoat within their internal networks.
- In terms of forcing the VPN Client traffic towards the BlueCoat in transparent proxy mode, again, you would need to check the network device that redirects the traffic to see if that is capable of redirecting those VPN Client traffic. If it does, you can configure tunnel default gateway on the device that terminates the VPN (assuming that you are using Cisco ASA or router to terminate the VPN).
10-14-2010 07:13 PM
Hi Jennifer,
Thank you for your reply.
Which device will be redirecting the web traffic towards BlueCoat? :
Users behind the core SW when initiate internet request, that passes via Core SW--> Tra proxy-->IPS-->FW--> Internet. Again, this is not for web filtering but intercepts all the traffic and when https(ex: gmail.com) request pass thru proxy, it send the decrypted form to icap device to check sesitivity of the data.
- Is the device performing redirection supports the transparent proxy solution that BlueCoat supports? I guess it would be WCCP to redirect the traffic to BlueCoat, right?
10-14-2010 08:09 PM
Is your BlueCoat actually inline between the Core Switch and the ASA firewall? ie: all traffic actually goes through BlueCoat?
If not, I don't quite understand how you are redirecting the HTTPS traffic towards BlueCoat. How do you actually redirect the HTTPS traffic towards BlueCoat? Normally a network device (router, or switch, or ASA) could be configured to redirect the HTTP or HTTPS traffic towards a transparent proxy device (like BlueCoat), otherwise, you would need to explicitly specify the BlueCoat proxy server normally either through your browser, or PAC file, or WPAD.
10-14-2010 08:12 PM
Correct . BC is inline .
Core SW <--> BC proxy <--> IPS <-->Internet FW (ASA5510) --. RA vpn cleints terminate here.. Thanks.
10-14-2010 08:22 PM
OK, if BC proxy is inline, i am not too sure if vpn client will work (purely in terms of routing).
1 question to ask, traffic towards the internet, would BC proxy initiate the connection to the internet on behalf of the internal users and proxy the connection back towards the internal users? So from ASA point of view, web traffic from internal users, would the ASA see the source as BC proxy or individual users' ip address?
Here is my thoughts of the traffic flow for vpn client:
1) VPN Client with no split tunnel, so the traffic will be routed towards the ASA.
2) On the ASA, we can configure tunnel default gateway to route it towards the core switch
3) Upon routing it towards the core switch, would BC proxy be intercepting the traffic from the other way? ie: from outside towards inside? because for internal network, BC proxy would be intercepting it from inside towards outside (internet).
4) Assuming that it doesn't, the traffic will then arrive at core switch, which will perform the normal routing for internet traffic, and this will in turn go through BC proxy the normal way.
5) At this point, we need to understand my question above, on whether the BC proxy initiates/proxies the web traffic to the internet, or it just inspects it and the web traffic is sourced by the internal hosts themselves.
10-14-2010 08:38 PM
Hi Jennifer,
ASA see the source as BC proxy or individual users' ip address? Users IPs. BC proxy just to inspect the traffic but do not act as proxy for the traffic.
2) On the ASA, we can configure tunnel default gateway to route it towards the core switch: What is the command and where it need to be added (under RA policy config?)
3) Upon routing it towards the core switch, would BC proxy be intercepting the traffic from the other way? it may not, Iam not sure if BC can setup that way. I need to check from BC techs.
4) Assuming that it doesn't, the traffic will then arrive at core switch, which will perform the normal routing for internet traffic, and this will in turn go through BC proxy the normal way . Sounds good. If (2) and (4) works- that is good enough.
5:it just inspects it and the web traffic is sourced by the internal hosts themselves.- correct, no proxy.
Thanks
MS
10-14-2010 09:59 PM
OK, if the ASA will see the source IP, then it would be a problem because your ip pool subnet for the vpn client supposed to be connected to the ASA outside interface, not inside interface. When you routed those traffic internally towards the core switch because BC proxy is inline, the ASA will drop the packet because it's seeing the source ip address of the vpn client on the inside interface, instead of outside interface.
To trick that, you can perform NAT for the vpn client pool so the ASA will see different source address for vpn client traffic, however, you would need to test and design that accordingly and it can get complicated.
The tunnel default gateway command is as follows:
route inside 0.0.0.0 0.0.0.0
10-15-2010 01:18 PM
Hi Jennifer,
Thanks again. I had a call with the BC vendor and per the tech, as the BC can act as transparant and Explicit proxy at the same time, if VPN policy can push the clients with proxy server information when they remote access to network, then the client's internet requests can pass via the proxy. Our head end ASAsIOS is 7.2(4) and vpnclient version :4.8.00.0440. Will this be an option at all?
The reason tech asking for 'push' proxy settings only when client connected is, when cleint disconnected he still can access the internet.
Thanks
MS
10-15-2010 04:28 PM
You should be able to push the proxy settings explicitly after vpn client is connected, however, it only applies to Internet Explorer.
Here is the command reference for your perusal (within group-policy attributes):
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.html#wp1791154
Hope that helps.
10-16-2010 07:54 AM
Great.Thank you Jennifer.As long as the BC works in the way the vendor mentioned, below config will use proxy for client computers only when they connected via VPN. Is that correct?
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# msie-proxy server:port 8888
hostname(config-group-policy)# msie-proxy method use-server
I will try to test this if I get a demo unit from vendor.
Also, with reference to the same..
1. With Remote offices connected via L2L tunnel (terminating again on ASA outside), If we configure user IE with proxy settings(with same-security-traffic permit intra-interface), the users may be able to use the proxy. 2. We have seperate ASA FW set just for Easyvpn clients to come in and they currently use home internet for browsing. So, their PCs with proxy settings, might as well use proxy. Is that possible? As the internet path is something like EasyVPN user request -> Local 5505 ASA ->easy vpn tunnel-> Headend 5510 ASA --> Core SW-->Proxy server --> HQ internet FW-> Internet (reply flow back in same direction) I already put the question to vendor but want get your suggestions as well.
Thanks
MS
10-16-2010 03:21 PM
Yes, you are absolutely right.
Easyvpn client connects to a different ASA would be even easier as far as routing is concern. On the ASA that provides the Internet connection, you just have to make sure that you have a route back towards core switch, and also NATing done for the easyvpn client ip pool subnet.
Let us know how it goes with the testing. Thanks.
11-02-2010 06:44 AM
Hi Jennifer,
Thank you for your time and valuable suggestions. All the three tests (RA VPN, L2L and EZvpn) were successful.
MS
11-03-2010 10:11 PM
Excellent to hear, and thanks for the update and rating.
12-13-2010 06:53 PM
Hi Jennifer,
I was doing more testing with proxy and interestingly I found that even when the proxy is inline with transperant config, for the inside clients (connected to internal switch) the Internet ASA seeing proxy IP as source address. Please see below...
ASA# show xlate | include 10.60.101.
PAT Global 64.32.16.32(1151) Local 10.60.101.201(46777)
PAT Global 64.32.16.32(1150) Local 10.60.101.201(46776)
PAT Global 64.32.16.32(1149) Local 10.60.101.201(46775)
PAT Global 64.32.16.32(1148) Local 10.60.101.201(46774)
PAT Global 64.32.16.32(1146) Local 10.60.101.201(46773)
PAT Global 64.32.16.32(1145) Local 10.60.101.201(46772)
PAT Global 64.32.16.32(1144) Local 10.60.101.201(46771)
PAT Global 64.32.16.32(1143) Local 10.60.101.201(46770)
10.60.101.201 : Ip of Test proxy . 64.32.16.32: public ip fro ASA.
Considering this, if I add "route inside 0.0.0.0 0.0.0.0
as proxy connection is 'established' they should hit internet. Will that make sense?
TIA
MS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: