[j-nsp] SSG20 & PBR to Web Proxy

Ben Dale bdale at comlinx.com.au
Wed May 1 21:04:05 EDT 2013


Hi Josh,

I would recommend putting the proxy in it's own subnet and zone (even just a /30 off to the side).  Then you can apply policy routing on your external interface for inbound traffic, and the LAN interface for your outbound traffic.

If you let return connections go directly back to the client, I suspect that you're proxy won't end up being able to cache anything.

Cheers,

Ben

On 01/05/2012, at 2:08 PM, Josh Farrelly <josh at base-2.co.nz> wrote:

> Hi guys.
>  
> We have a customer who’d like to implement a transparent web proxy configuration using a Sophos Web Appliance. They sit behind an SSG20 that connects them to the Internet. I’m suggesting the proxy will have an IP in the LAN range.
>  
> I’ve confirmed with Sophos that the proxy will correctly handle connections if we policy-route any packets matching a destination port of TCP 80 & 443 to it using the firewall, however I’m a little confused about how the return traffic should be handled.
>  
> I don’t believe the proxy will rewrite the layer 3 address of the packets it sends out, so return traffic back from the external web servers will be (theoretically) sent back to the internal IP address, which is the client directly.
>  
> Does anyone have any experience in implementing this, or any suggestions how we go about returning the traffic to the proxy and not directly to the end client? Any suggestions otherwise? Explicit mode on the proxy is not an option.
>  
> Regards,
>  
> Josh Farrelly
> Senior Project Engineer
> 
> P +64 9 630 4095 
> M +64 21 919 885 
> E josh at base-2.co.nz
> 
> PO Box 24666, Royal Oak, Auckland 1345.
> 126 Valley Rd, Mt Eden, Auckland 1024.
> 
> www.base-2.co.nz
> 
> <image001.gif>
> 
>  
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list