[j-nsp] SSG20 & PBR to Web Proxy

Josh Farrelly josh at base-2.co.nz
Tue May 1 00:37:55 EDT 2012


Hi guys.

 

We have a customer who'd like to implement a transparent web proxy
configuration using a Sophos Web Appliance. They sit behind an SSG20
that connects them to the Internet. I'm suggesting the proxy will have
an IP in the LAN range.

 

I've confirmed with Sophos that the proxy will correctly handle
connections if we policy-route any packets matching a destination port
of TCP 80 & 443 to it using the firewall, however I'm a little confused
about how the return traffic should be handled.

 

I don't believe the proxy will rewrite the layer 3 address of the
packets it sends out, so return traffic back from the external web
servers will be (theoretically) sent back to the internal IP address,
which is the client directly.

 

Does anyone have any experience in implementing this, or any suggestions
how we go about returning the traffic to the proxy and not directly to
the end client? Any suggestions otherwise? Explicit mode on the proxy is
not an option.

 

Regards,

 

Josh Farrelly
Senior Project Engineer

P +64 9 630 4095 
M +64 21 919 885 
E josh at base-2.co.nz <mailto:josh at base-2.co.nz> 

PO Box 24666, Royal Oak, Auckland 1345.
126 Valley Rd, Mt Eden, Auckland 1024.

www.base-2.co.nz <http://www.base-2.co.nz/>  

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20120501/70e9bf30/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 3079 bytes
Desc: image001.gif
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20120501/70e9bf30/attachment-0001.gif>


More information about the juniper-nsp mailing list