[j-nsp] SSG20 & PBR to Web Proxy
pchychi at gmail.com
Thu May 2 08:56:52 EDT 2013
From past experience Dnat with transparent proxy will not work very nicely, if at all. you want to route through the proxy and not forward the connections to the proxy
If your proxy is squid or nix based you can do some packet magic but if you dont have access to the os layer (as it be the case with most commercial proxies) youll hit challanges.
All depends on your application requirements and design i suppose
Network Engineer / Security Specialist
On Wednesday, 1 May, 2013 at 6:34 PM, Andrew Miehs wrote:
> Does the ssg20 do destination NAT? That is the feature you are after - alternatively wccp....
> Btw - I wouldn't recommend transparent https.
> Sent from a mobile device
> On 01/05/2012, at 14:08, "Josh Farrelly" <josh at base-2.co.nz> wrote:
> > Hi guys.
> > We have a customer who’d like to implement a transparent web proxy configuration using a Sophos Web Appliance. They sit behind an SSG20 that connects them to the Internet. I’m suggesting the proxy will have an IP in the LAN range.
> > I’ve confirmed with Sophos that the proxy will correctly handle connections if we policy-route any packets matching a destination port of TCP 80 & 443 to it using the firewall, however I’m a little confused about how the return traffic should be handled.
> > I don’t believe the proxy will rewrite the layer 3 address of the packets it sends out, so return traffic back from the external web servers will be (theoretically) sent back to the internal IP address, which is the client directly.
> > Does anyone have any experience in implementing this, or any suggestions how we go about returning the traffic to the proxy and not directly to the end client? Any suggestions otherwise? Explicit mode on the proxy is not an option.
> > Regards,
> > Josh Farrelly
> > Senior Project Engineer
> > P +64 9 630 4095
> > M +64 21 919 885
> > E josh at base-2.co.nz
> > PO Box 24666, Royal Oak, Auckland 1345.
> > 126 Valley Rd, Mt Eden, Auckland 1024.
> > www.base-2.co.nz
> > <image001.gif>
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> juniper-nsp mailing list juniper-nsp at puck.nether.net
More information about the juniper-nsp