Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
4958
Views
0
Helpful
3
Replies

Applications bypass proxy

Go to solution
richard.bumanlag
Level 1
Level 1

‎04-24-2012 05:11 AM

Hi,

We have application on the internal network that are not proxiable.

We alread deployed Ironport WSA in inline mode.

We need to let port 1500 to pass thorugh the internet and back to the application.

Do you have any Idea how we can do this?

Another question:

If we make the ironport WSA a gateway for workstations, can we consider this a transparent deployment?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sfiebran
Cisco Employee
Cisco Employee

‎05-02-2012 11:19 AM

With inline mode you mean perhaps explicit request?

Specifying the WSA as a gateway will not work as the WSA will never route traffic between interfaces.

For transparent deployment you require an e.g. IOS router and configure WCCP or L4 forward to redirect traffic to the WSA. Within the router configuration you can also create exceptions for this application and bypass port 1500 as required.

Remember, WSA is a proxy "only". To gain the most out of it you tight it together with a router that supports WCCP.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
sfiebran
Cisco Employee
Cisco Employee

‎05-02-2012 11:19 AM

With inline mode you mean perhaps explicit request?

Specifying the WSA as a gateway will not work as the WSA will never route traffic between interfaces.

For transparent deployment you require an e.g. IOS router and configure WCCP or L4 forward to redirect traffic to the WSA. Within the router configuration you can also create exceptions for this application and bypass port 1500 as required.

Remember, WSA is a proxy "only". To gain the most out of it you tight it together with a router that supports WCCP.

0 Helpful

Go to solution
richard.bumanlag
Level 1
Level 1
In response to sfiebran

‎05-14-2012 06:22 AM

Hi

Yes, inline mode that receives only HTTP requests. Just want to ask the vulnerability of ironport when we assign P2 Interface as the Public Ip Address.

We chose P2 Interface for by default, it is not listening to proxy requests. Unlike P1, is open for proxy requests.

Chosing P2 therefore doesn't make Ironport a open proxy.

My main concern is that the attacks coming from the internet/public, How will ironport deal with them?

thanks

0 Helpful

Go to solution
sfiebran
Cisco Employee
Cisco Employee

‎05-17-2012 11:59 PM

Hi,

In general if the proxy port is reachable from the  internet (I would recommend to forbid this via ACL on your e.g. WCCP  router ahead) the best recommendation is to assure the (Default)Idendity  matching will refuse proxy usage.

The P1/P2 interface has been desinged to split client traffic (P1) <-> from the server side traffic (P2).

The WSA has been harderend to never route or forward packets inter-interfaces for this reason.

As  in this case prox is not binding (listening) to this port it is very  unlikely to create e.g. an open proxy. To be assured, you may still  configure the Identity to block by default any outside traffic not  sourced from your infrastructur.

Cheers,

Stephan

0 Helpful
Customers Also Viewed These Support Documents
Top