04-29-2018 01:53 PM - edited 03-08-2019 07:44 PM
Hi,
We have deployed our Proxy in Transparent Mode, and have requirement to add the some of the URL's in to Global Bypass List of WSA (Web Security Manager > Bypass Settings.).
If we add Source Client IP or Destination Server IP (Internet), will that specific traffic flow take the IP of WSA (P1) or that traffic goes without any IP change, i.e source and destination IP remains the same ?
Thanks,
Vishnu
Solved! Go to Solution.
04-29-2018 02:02 PM
04-29-2018 04:33 PM
Hi Vishnu,
When using WCCP, WSA negotiate against the router/switch/Firewall that we want to return the forwarded packets (so the traffic will still be redirected to WSA initially). If the packet was forwarded via L2 method, packets would then be forwarded towards the ultimate destination(URL that you want to bypass) just like how normal proxy packets would (But please remember that source IP would not be rewritten or using WSA's IP).
If packets are forwarded via GRE method, WSA would send the packets back through the same GRE interface which it came in to WSA (so back to the WCCP server - switch/router/firewall).
When using L4 switch, extra caution is required to prevent forwarding loops. Switch would forward traffic to WSA, and if the forwarded packet matches what is in its "proxy bypass" list, WSA would forward it back to its ultimate destination. Switch somehow needs to know not to forward those packets back to WSA. Normally this is done by bypassing anything that has WSA's IP as a source address, but in this case source IP is untouched, hence has the real client's IP. Which means the switch needs to be configured not to forward back packets which has the source MAC of WSA's interface.
Hope this helps
Regards
Handy Putra
04-29-2018 02:02 PM
04-29-2018 04:33 PM
Hi Vishnu,
When using WCCP, WSA negotiate against the router/switch/Firewall that we want to return the forwarded packets (so the traffic will still be redirected to WSA initially). If the packet was forwarded via L2 method, packets would then be forwarded towards the ultimate destination(URL that you want to bypass) just like how normal proxy packets would (But please remember that source IP would not be rewritten or using WSA's IP).
If packets are forwarded via GRE method, WSA would send the packets back through the same GRE interface which it came in to WSA (so back to the WCCP server - switch/router/firewall).
When using L4 switch, extra caution is required to prevent forwarding loops. Switch would forward traffic to WSA, and if the forwarded packet matches what is in its "proxy bypass" list, WSA would forward it back to its ultimate destination. Switch somehow needs to know not to forward those packets back to WSA. Normally this is done by bypassing anything that has WSA's IP as a source address, but in this case source IP is untouched, hence has the real client's IP. Which means the switch needs to be configured not to forward back packets which has the source MAC of WSA's interface.
Hope this helps
Regards
Handy Putra
04-30-2018 12:05 AM - edited 05-14-2018 12:12 PM
Thanks Handy,
-Vishnu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide