[j-nsp] SSG20 & PBR to Web Proxy

Andrew Miehs andrew at 2sheds.de
Wed May 1 21:34:27 EDT 2013


Does the ssg20 do destination NAT? That is the feature you are after - alternatively wccp....

Btw - I wouldn't recommend transparent https.


Sent from a mobile device

On 01/05/2012, at 14:08, "Josh Farrelly" <josh at base-2.co.nz> wrote:

> Hi guys.
>  
> We have a customer who’d like to implement a transparent web proxy configuration using a Sophos Web Appliance. They sit behind an SSG20 that connects them to the Internet. I’m suggesting the proxy will have an IP in the LAN range.
>  
> I’ve confirmed with Sophos that the proxy will correctly handle connections if we policy-route any packets matching a destination port of TCP 80 & 443 to it using the firewall, however I’m a little confused about how the return traffic should be handled.
>  
> I don’t believe the proxy will rewrite the layer 3 address of the packets it sends out, so return traffic back from the external web servers will be (theoretically) sent back to the internal IP address, which is the client directly.
>  
> Does anyone have any experience in implementing this, or any suggestions how we go about returning the traffic to the proxy and not directly to the end client? Any suggestions otherwise? Explicit mode on the proxy is not an option.
>  
> Regards,
>  
> Josh Farrelly
> Senior Project Engineer
> 
> P +64 9 630 4095 
> M +64 21 919 885 
> E josh at base-2.co.nz
> 
> PO Box 24666, Royal Oak, Auckland 1345.
> 126 Valley Rd, Mt Eden, Auckland 1024.
> 
> www.base-2.co.nz
> 
> <image001.gif>
> 
>  
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list