Solved: Re: VPN Clients Internet Via Proxy - Page 2

mvsheik123 · ‎10-14-2010

Hi All,

Infrastructure : Internet FW <--> IPS <--> Core SW

RA vpn users terminate on FW and currently split-tunneling is in place.

Adding a Bluecoat proxy in Transparant mode -main purpose is for intercepting 'https' requests from internal client for DLP (Data Loss prevention). Not intersted in Webfiltering. So the infrastructure after proxy...

Internet FW <--> IPS <--> Tranparant Proxy <--> Core SW

1. Is it better place to add the proxy?

2. Current proxy does not have enough ports to add FW DMZ inline. Is it normal practice to add DMZ (with servers, no user PCs) to Proxy?

3. Now if Split-tunneling is removed and force the VPN clients to use organization Internet, when the RA vpn users terminate on FW, does their internet

requests still pass thru proxy? If not how to make them pass thru proxy.

TIA

MS

Jennifer Halim · ‎12-13-2010

You might not want to do "route inside 0.0.0.0 0.0.0.0 tunnelled" because all traffic (inc. all protocols and ports) even though they are not supposed to be destined to the proxy will be routed to the proxy ip.

I believe that your proxy will only certain protocols, eg: http, https, ftp, etc, so if you configure the above tunnel default gateway for the vpn traffic, other applications eg: mail, dns, etc will be routed to the proxy server too.

mvsheik123 · ‎12-13-2010

Thanks again for quick reply. But here ASA will know internal network via OSPF. What syntax may work?.. route inside or route outside (for RA vpn users to use proxy for internet traffic). The BC is sitting 'inside' the ASA. Thanks again.

MS

Jennifer Halim · ‎12-13-2010

It would be "route inside" if internet connection is connected to the inside interface of the ASA.

Netplace Support · ‎10-09-2019

Hi Mvsheik,

Could you please let me know how you make your RA Vpn users connect to internet using BC proxy.

Having some what same scenario as yours