Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
814
Views
0
Helpful
3
Replies

Ironport URL routing - possible?

colinritchie1982
Level 1
Level 1

‎07-03-2013 06:05 AM

Hi,

I have to first confess to not being very proxy aware (pardon the pun) so apologies if this is a silly question.

We currently have a unique challenge that I was hoping Ironport might be able to solve.  What we want to do is dedicate some bandwidth (at the internet edge) for a particular URL.  Currently all URLs are proxy'd to the same IP and therefore all inbound traffic must be treated equally.

What I was hoping to do is design a solution whereby the Ironport has 2 NICs; General traffic will flow over NIC1, and specific URLs will flow over NIC2.  This allows me to NAT the addresses to different IPs and dedicate bandwidth for "special" URLs, while at the same time utilising the same hardware.

An even better solution for me would be if we could create 2 virtual instances on the Ironport.  We could then have seperate entries in our pac file pointing to the 2 NICs.

Are either of these possible?

Regards,

Colin Ritchie

Labels:
Preview file
83 KB
0 Helpful
3 Replies 3

Chris Illsley
Level 3
Level 3

‎07-03-2013 07:38 AM

Hi Colin,

You can't specify routes via URLs as such, but if you know the IP addresses it is possible by defining routes, eithe rin the Network - Routes tab or using routeconfig from the CLI.

Thanks

Chris

0 Helpful

Ken Stieers
VIP
VIP

‎07-03-2013 08:27 AM

Colin,

You don't mention what URLS you want bandwith limited, but if its the typical streaming apps (Hulu, Netflix, YouTube, etc.) look at the Application Visiblity and Control stuff.   You can pick and chose by application.

On a current hardware box, you can't set up "instances" on the box, but you should be able to get the VM version of Ironport and then you can set up as many virutal Ironport boxes as you want...

Ken

0 Helpful

colinritchie1982
Level 1
Level 1
In response to Ken Stieers

‎07-04-2013 02:57 AM

Thanks for your feedback.

What we are actually looking to do is dedicate bandwidth for SaaS applications.  We want to mark the traffic without relying on IP addresses; as SaaS deployments increase this won't be very managable.

Virtual Ironports looks like a great option, and the cost model looks good.  Another option might be Next Gen Firewalls to mark the traffic at Layer 7 towards the internet.

Maybe we can even write a policy that marks the DSCP value based on the URL?

Colin

0 Helpful
Customers Also Viewed These Support Documents