Solved: Re: WSA Global Bypass list | Source IP Address Change

Vishnu Ravindranath · ‎04-29-2018

Hi,

We have deployed our Proxy in Transparent Mode, and have requirement to add the some of the URL's in to Global Bypass List of WSA (Web Security Manager > Bypass Settings.).

If we add Source Client IP or Destination Server IP (Internet), will that specific traffic flow take the IP of WSA (P1) or that traffic goes without any IP change, i.e source and destination IP remains the same ?

Thanks,

Vishnu

Ken Stieers · ‎04-29-2018

Assuming I understood how it was described to me correctly, the bypass list informs the WCCP process to not look at or forward that traffia to the WSA, so the packet's don't get changed, they appear to.come from your workstations and go straight to the destination.

View solution in original post

Handy Putra · ‎04-29-2018

Hi Vishnu,

When using WCCP, WSA negotiate against the router/switch/Firewall that we want to return the forwarded packets (so the traffic will still be redirected to WSA initially). If the packet was forwarded via L2 method, packets would then be forwarded towards the ultimate destination(URL that you want to bypass) just like how normal proxy packets would (But please remember that source IP would not be rewritten or using WSA's IP).

If packets are forwarded via GRE method, WSA would send the packets back through the same GRE interface which it came in to WSA (so back to the WCCP server - switch/router/firewall).

When using L4 switch, extra caution is required to prevent forwarding loops. Switch would forward traffic to WSA, and if the forwarded packet matches what is in its "proxy bypass" list, WSA would forward it back to its ultimate destination. Switch somehow needs to know not to forward those packets back to WSA. Normally this is done by bypassing anything that has WSA's IP as a source address, but in this case source IP is untouched, hence has the real client's IP. Which means the switch needs to be configured not to forward back packets which has the source MAC of WSA's interface.

Hope this helps

Regards

Handy Putra

View solution in original post

Ken Stieers · ‎04-29-2018

Assuming I understood how it was described to me correctly, the bypass list informs the WCCP process to not look at or forward that traffia to the WSA, so the packet's don't get changed, they appear to.come from your workstations and go straight to the destination.

Handy Putra · ‎04-29-2018

Hi Vishnu,

When using WCCP, WSA negotiate against the router/switch/Firewall that we want to return the forwarded packets (so the traffic will still be redirected to WSA initially). If the packet was forwarded via L2 method, packets would then be forwarded towards the ultimate destination(URL that you want to bypass) just like how normal proxy packets would (But please remember that source IP would not be rewritten or using WSA's IP).

If packets are forwarded via GRE method, WSA would send the packets back through the same GRE interface which it came in to WSA (so back to the WCCP server - switch/router/firewall).

When using L4 switch, extra caution is required to prevent forwarding loops. Switch would forward traffic to WSA, and if the forwarded packet matches what is in its "proxy bypass" list, WSA would forward it back to its ultimate destination. Switch somehow needs to know not to forward those packets back to WSA. Normally this is done by bypassing anything that has WSA's IP as a source address, but in this case source IP is untouched, hence has the real client's IP. Which means the switch needs to be configured not to forward back packets which has the source MAC of WSA's interface.

Hope this helps

Regards

Handy Putra

Vishnu Ravindranath · ‎04-30-2018

Thanks Handy,

-Vishnu.