cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4561
Views
0
Helpful
3
Replies

Applications bypass proxy

Hi,

We have application on the internal network that are not proxiable.

We alread deployed Ironport WSA in inline mode.

We need to let port 1500 to pass thorugh the internet and back to the application.

Do you have any Idea how we can do this?

Another question:

If we make the ironport WSA a gateway for workstations, can we consider this a transparent deployment?

Thanks

1 Accepted Solution

Accepted Solutions

sfiebran
Cisco Employee
Cisco Employee

With inline mode you mean perhaps explicit request?

Specifying the WSA as a gateway will not work as the WSA will never route traffic between interfaces.

For transparent deployment you require an e.g. IOS router and configure WCCP or L4 forward to redirect traffic to the WSA. Within the router configuration you can also create exceptions for this application and bypass port 1500 as required.

Remember, WSA is a proxy "only". To gain the most out of it you tight it together with a router that supports WCCP.

View solution in original post

3 Replies 3

sfiebran
Cisco Employee
Cisco Employee

With inline mode you mean perhaps explicit request?

Specifying the WSA as a gateway will not work as the WSA will never route traffic between interfaces.

For transparent deployment you require an e.g. IOS router and configure WCCP or L4 forward to redirect traffic to the WSA. Within the router configuration you can also create exceptions for this application and bypass port 1500 as required.

Remember, WSA is a proxy "only". To gain the most out of it you tight it together with a router that supports WCCP.

Hi

Yes, inline mode that receives only HTTP requests. Just want to ask the vulnerability of ironport when we assign P2 Interface as the Public Ip Address.

We chose P2 Interface for by default, it is not listening to proxy requests. Unlike P1, is open for proxy requests.

Chosing P2 therefore doesn't make Ironport a open proxy.

My main concern is that the attacks coming from the internet/public, How will ironport deal with them?

thanks

sfiebran
Cisco Employee
Cisco Employee

Hi,

In general if the proxy port is reachable from the  internet (I would recommend to forbid this via ACL on your e.g. WCCP  router ahead) the best recommendation is to assure the (Default)Idendity  matching will refuse proxy usage.

The P1/P2 interface has been desinged to split client traffic (P1) <-> from the server side traffic (P2).

The WSA has been harderend to never route or forward packets inter-interfaces for this reason.

As  in this case prox is not binding (listening) to this port it is very  unlikely to create e.g. an open proxy. To be assured, you may still  configure the Identity to block by default any outside traffic not  sourced from your infrastructur.

Cheers,

Stephan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: