cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
12853
Views
10
Helpful
18
Replies
mvsheik123
Rising star

VPN Clients Internet Via Proxy

Hi All,

Infrastructure : Internet FW <--> IPS <--> Core SW

RA vpn users terminate on FW and currently split-tunneling is in place.

Adding a Bluecoat proxy in Transparant mode -main purpose is for intercepting 'https' requests from internal client for DLP (Data Loss prevention). Not intersted in Webfiltering. So the infrastructure after proxy...

Internet FW <--> IPS <--> Tranparant Proxy <--> Core SW

1. Is it better place to add the proxy?

2. Current proxy does not have enough ports to add FW DMZ inline. Is it normal practice to add DMZ (with servers, no user PCs) to Proxy?

3. Now if Split-tunneling is removed and force the VPN clients to use organization Internet, when the RA vpn users terminate on FW, does their internet

   requests still pass thru proxy? If not how to make them pass thru proxy.

TIA

MS

18 REPLIES 18

You might not want to do "route inside 0.0.0.0 0.0.0.0 tunnelled" because all traffic (inc. all protocols and ports) even though they are not supposed to be destined to the proxy will be routed to the proxy ip.

I believe that your proxy will only certain protocols, eg: http, https, ftp, etc, so if you configure the above tunnel default gateway for the vpn traffic, other applications eg: mail, dns, etc will be routed to the proxy server too.

Thanks again for quick reply. But here ASA will know internal network via OSPF. What syntax may work?.. route inside or route outside (for RA vpn users to use proxy for internet traffic). The BC is sitting 'inside' the ASA. Thanks again.

MS

It would be "route inside" if internet connection is connected to the inside interface of the ASA.

Hi Mvsheik,

 

Could you please let me know how you make your RA Vpn users connect to internet using BC proxy.

 

Having some what same scenario as yours

Create
Recognize Your Peers
Content for Community-Ad