Hi Jennifer,

Thank you for your reply.

Which device will be redirecting the web traffic towards BlueCoat? :

Users behind the core SW when initiate internet request, that passes via Core SW--> Tra proxy-->IPS-->FW--> Internet. Again, this is not for web filtering but intercepts all the traffic and when https(ex: gmail.com) request pass thru proxy, it send the decrypted form to icap device to check sesitivity of the data.

- Is the device performing redirection supports the transparent proxy solution that BlueCoat supports? I guess it would be WCCP to redirect the traffic to BlueCoat, right?

Is your BlueCoat actually inline between the Core Switch and the ASA firewall? ie: all traffic actually goes through BlueCoat?

If not, I don't quite understand how you are redirecting the HTTPS traffic towards BlueCoat. How do you actually redirect the HTTPS traffic towards BlueCoat? Normally a network device (router, or switch, or ASA) could be configured to redirect the HTTP or HTTPS traffic towards a transparent proxy device (like BlueCoat), otherwise, you would need to explicitly specify the BlueCoat proxy server normally either through your browser, or PAC file, or WPAD.

Correct . BC is inline .

Core SW <--> BC proxy <--> IPS <-->Internet FW (ASA5510) --. RA vpn cleints terminate here.. Thanks.

OK, if BC proxy is inline, i am not too sure if vpn client will work (purely in terms of routing).

1 question to ask, traffic towards the internet, would BC proxy initiate the connection to the internet on behalf of the internal users and proxy the connection back towards the internal users? So from ASA point of view, web traffic from internal users, would the ASA see the source as BC proxy or individual users' ip address?

Here is my thoughts of the traffic flow for vpn client:

1) VPN Client with no split tunnel, so the traffic will be routed towards the ASA.

2) On the ASA, we can configure tunnel default gateway to route it towards the core switch

3) Upon routing it towards the core switch, would BC proxy be intercepting the traffic from the other way? ie: from outside towards inside? because for internal network, BC proxy would be intercepting it from inside towards outside (internet).

4) Assuming that it doesn't, the traffic will then arrive at core switch, which will perform the normal routing for internet traffic, and this will in turn go through BC proxy the normal way.

5) At this point, we need to understand my question above, on whether the BC proxy initiates/proxies the web traffic to the internet, or it just inspects it and the web traffic is sourced by the internal hosts themselves.

Hi Jennifer,

ASA see the source as BC proxy or individual users' ip address? Users IPs. BC proxy just to inspect the traffic but do not act as proxy for the traffic.

2) On the ASA, we can configure tunnel default gateway to route it towards the core switch: What is the command and where it need to be added (under RA policy config?)

3) Upon routing it towards the core switch, would BC proxy be intercepting the traffic from the other way? it may not, Iam not sure if BC can setup that way. I need to check from BC techs.

4) Assuming that it doesn't, the traffic will then arrive at core switch, which will perform the normal routing for internet traffic, and this will in turn go through BC proxy the normal way . Sounds good. If (2) and (4) works- that is good enough.

5:it just inspects it and the web traffic is sourced by the internal hosts themselves.- correct, no proxy.

Thanks

MS

OK, if the ASA will see the source IP, then it would be a problem because your ip pool subnet for the vpn client supposed to be connected to the ASA outside interface, not inside interface. When you routed those traffic internally towards the core switch because BC proxy is inline, the ASA will drop the packet because it's seeing the source ip address of the vpn client on the inside interface, instead of outside interface.

To trick that, you can perform NAT for the vpn client pool so the ASA will see different source address for vpn client traffic, however, you would need to test and design that accordingly and it can get complicated.

The tunnel default gateway command is as follows:

route inside 0.0.0.0 0.0.0.0 tunneled

Hi Jennifer,

Thanks again. I had a call with the BC vendor and per the tech, as the BC can act as transparant and Explicit proxy at the same time, if  VPN policy can push the clients with proxy server information when they remote access to network, then the client's internet requests can pass via the proxy. Our head end ASAsIOS is 7.2(4) and vpnclient version :4.8.00.0440. Will this be an option at all?

The reason tech asking for 'push' proxy settings only when client connected is, when cleint disconnected he still can access the internet.

Thanks

MS

You should be able to push the proxy settings explicitly after vpn client is connected, however, it only applies to Internet Explorer.

Here is the command reference for your perusal (within group-policy attributes):

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.html#wp1791154

Hope that helps.

Great.Thank you Jennifer.As long as the BC works in the way the vendor mentioned, below config will use proxy for client computers only when they connected via VPN. Is that correct?

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# msie-proxy server :port 8888

hostname(config-group-policy)# msie-proxy method use-server

I will try to test this if I get a demo unit from vendor.

Also, with reference to the same..

1. With Remote offices connected via L2L tunnel (terminating again on ASA outside), If we configure user IE 
   with proxy settings(with same-security-traffic permit intra-interface), the users may be able to use the
   proxy.

2. We have seperate ASA FW set just for Easyvpn clients to come in and they currently use home internet for
   browsing. So, their PCs with proxy settings, might as well use proxy. Is that possible? As the internet path
   is something like  
   EasyVPN user request -> Local 5505 ASA ->easy vpn tunnel-> Headend 5510 ASA --> Core SW-->Proxy server
    --> HQ internet FW-> Internet  (reply flow back in same direction)

 I already put the question to vendor but want get your suggestions as well. 

Thanks

MS

Hi Jennifer,

Thank you for your time and valuable suggestions. All the three tests (RA VPN, L2L and EZvpn) were successful.

MS

Excellent to hear, and thanks for the update and rating.

Hi Jennifer,

I was doing more testing with proxy and interestingly I found that even when the proxy is inline with transperant config, for the inside clients (connected to internal switch) the Internet ASA seeing proxy IP as source address. Please see below...

ASA# show xlate | include 10.60.101.

PAT Global 64.32.16.32(1151) Local 10.60.101.201(46777)
PAT Global 64.32.16.32(1150) Local 10.60.101.201(46776)
PAT Global 64.32.16.32(1149) Local 10.60.101.201(46775)
PAT Global 64.32.16.32(1148) Local 10.60.101.201(46774)
PAT Global 64.32.16.32(1146) Local 10.60.101.201(46773)
PAT Global 64.32.16.32(1145) Local 10.60.101.201(46772)
PAT Global 64.32.16.32(1144) Local 10.60.101.201(46771)
PAT Global 64.32.16.32(1143) Local 10.60.101.201(46770)

10.60.101.201 : Ip of Test proxy .  64.32.16.32: public ip fro ASA.

Considering this, if I add "route inside 0.0.0.0 0.0.0.0 tunnelled --> commnad to ASA , all the VPN clients should route to proxy and from there,

as proxy connection is 'established' they should hit internet. Will that make sense?

TIA

MS