Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1437
Views
0
Helpful
5
Replies

WSA Network Placement Best Practice

Tim Jackson
Level 1
Level 1

‎12-14-2016 07:08 AM

We are currently looking to move to virtual appliances and in the process simplify our design a bit. In our current layout (explicit forward), we have P1 on the internal network and P2 in the DMZ. We don't like giving our virtual infrastructure access to both internal and DMZ VLANS. My thought is to use a single interface design on the WSA (P1) and place it on our internal network with an outbound only direct NAT'd connection to the internet.

What is the best practice in this case? If it is one internal interface only, should it be segmented into it's own VLAN for any reason? We would normally place it in our server VLAN.

Thanks,

Tim

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Ken Stieers
VIP
VIP

‎12-14-2016 07:52 AM

We have a vlan that's "between" the servers and the firewalls, and put the WSA there...

Since we're using WCCP, and we fail open, we don't nat it to its own IP externally so my workstations always look like they're coming from the same IP.   There's no reason you couldn't/shouldn't NAT it though...

0 Helpful

tahscolony
Level 1
Level 1

‎01-06-2017 08:29 AM

Not sure there is a Best Practice as no two networks are the same. However, a good practice would be to have the gateway of last resort, IE the firewall use WCCP to redirect whichever protocols you want the WSA to scan, http, https, ftp, etc. and redirect all that traffic to the WSA, then static NAT the WSA to a public IP so all traffic to the net comes up as the WSA.

An upside of this, when you have an incident and need to track down who did what based on the public IP, you will have to know where the destination was, then go through the logs on the WSA to find the internal IP involved, where if you were just natting out to the internet , you won't have those records.

Another upside, if you have servers, or other hosts that need to bypass WSA, either permanent or temporary, you can create a WCCP exemption on the firewall for that host instead of having to write rules on the WSA and hope they work, as they don't always work as I keep finding out.

I am not 100% certain you could do this, but maybe have one interface in the Inside for internal host proxy, and another interface in the DMZ for DMZ proxy? 

0 Helpful

Ken Stieers
VIP
VIP
In response to tahscolony

‎01-06-2017 08:40 AM

Re: wccp bypass :   I've found that forcing a wccp restart (kick the proxy, change the wcxp logging level, disable/enable wccp on the firewall there may be othera) will make it pick up the bypass settings.  And recently (since 9.1??) I haven't needed to...

0 Helpful

tahscolony
Level 1
Level 1
In response to Ken Stieers

‎01-06-2017 08:57 AM

If you do AD authentication with the Proxy, whenever you kick the proxy, unless they are using NTLM with IE, they will need to reauthenticate, and MAC users are the WORST when it comes to this! :)

0 Helpful

Ken Stieers
VIP
VIP
In response to tahscolony

‎01-06-2017 09:01 AM

We use CDAs, so the auth happens transparently and I'm blessed with zero MACs...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents