Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Subscribers 30 subscribers
  • Views 14092 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

When is the Upstream Proxy used?

bprc

Quick overview of our set up.

We have multiple sites with their own XGs (SFOS 17.1.1 MR1). Each site XG is in Bridge mode. Each site is connected to the WAN via a router. An Upstream Proxy (Parent Proxy) (hosted on the WAN) is required to access the internet.

Internet > (Upstream Proxy) > WAN > (many sites) Router > XG > LAN

Internet > (Upstream Proxy) > WAN are shared amongst all sites.

We have the Upstream Proxy configured under Routing.

We have some sites and services hosted on the WAN that require us to NOT use the Upstream Proxy.

A Firewall Rule with a Web Policy specified allows internet access through the Upstream Proxy.

A Firewall Rule without a Web Policy does not allow internet access even if the Firewall Rule explicitly specifies allowed domains/Internet IPs etc.

The Upstream Proxy only seems to be used when the Internet is accessed through a Web Policy. A Firewall Rule, without a Web Policy, does not appear to use the Upstream Proxy. Is this the expected behavior?

Do Web Exceptions bypass the Upstream Proxy or only the selected features to bypass (HTTPS, Malware scanning etc)?

Cheers,
Ben



This thread was automatically locked due to age.
Parents
  • +1

    In Transparent Mode:

    In order for the port 80/443 traffic that flows through the XG firewall to be automatically directed to an upstream proxy, it must go through the on-box Web Proxy.

    If the port 80/443 traffic is flowing through the XG firewall based on a firewall rule alone (with no Web Proxy) then there is no way to modify the requests to send to an upstream proxy.

    To flow through the Web Proxy, you need to have the Services include HTTP/HTTPS, and you need to either have HTTP and HTTPS malware scanning on, or you need to have a Web Policy specified (anything except None).

    In Standard/Explicit/Direct Mode, anything that goes to Port 3128 will go through the proxy.  You still need to have a firewall rule for port 80/443 through.

     

    Higher level rule with destination set to your internal servers on WAN and no scanning or web policy.

    Lower level rile for all destinations, with a web policy.

     

    Another option would be to use a WPAD mechanism and "Automatically detect my settings" in the browser's proxy config.  Your WPAD could specify which sites can be access directly and which ones need to go through a specified proxy (the XG).  The firewall rule would not specify any policy so transparent access direct to the WAN sites don't go to upstream, while standard mode would.

    I would highly recommend turning on the malware scanning as well.

     

     

Reply
  • +1

    In Transparent Mode:

    In order for the port 80/443 traffic that flows through the XG firewall to be automatically directed to an upstream proxy, it must go through the on-box Web Proxy.

    If the port 80/443 traffic is flowing through the XG firewall based on a firewall rule alone (with no Web Proxy) then there is no way to modify the requests to send to an upstream proxy.

    To flow through the Web Proxy, you need to have the Services include HTTP/HTTPS, and you need to either have HTTP and HTTPS malware scanning on, or you need to have a Web Policy specified (anything except None).

    In Standard/Explicit/Direct Mode, anything that goes to Port 3128 will go through the proxy.  You still need to have a firewall rule for port 80/443 through.

     

    Higher level rule with destination set to your internal servers on WAN and no scanning or web policy.

    Lower level rile for all destinations, with a web policy.

     

    Another option would be to use a WPAD mechanism and "Automatically detect my settings" in the browser's proxy config.  Your WPAD could specify which sites can be access directly and which ones need to go through a specified proxy (the XG).  The firewall rule would not specify any policy so transparent access direct to the WAN sites don't go to upstream, while standard mode would.

    I would highly recommend turning on the malware scanning as well.

     

     

Children
  • 0 in reply to Michael Dunn

    Thanks Michael.

    What about non-HTTP/HTTPS ports/protocols?

    Do they follow the same rules as 80/443 if they're included in the Firewall Rules (with a Web Policy specified)?

    Cheers

  • 0 in reply to Michael Dunn

    The Upstream Proxy is used in the following cases:

    - Port 80 and 443 traffic, as long as the either a Web Policy or Malware Scanning is on

    - Port 3128 traffic.  This can also include FTP if your client is configured that way (for example look at IE Proxy Settings).  This is FTP-over-HTTP.

    - All HTTP/HTTPS traffic that is generated by the XG itself (for example to get updates)

    Other traffic is not sent, because by definition an upstream proxy only handles HTTP and HTTPS (and FTP-over-HTTP).

    If you want to route other ports, those are firewall routing rules, which is a different topic.

     

    A firewall rule is required for any traffic to flow across the firewall.  Make sure you set the Service correctly (Service maps to ports).  Do not use the Any service (except when troubleshooting).  User/Network Rules are for outgoing traffic.  Business Application Rules are for incoming.

  • 0 in reply to Michael Dunn

    I have the same problem.

    We have two WAN Intefaces.

    WAN #1 works only with a upstream proxy

    WAN #2 work only without a upstram proxy

    but i need a web policy rule for both wan ports. i can specify the gateway (WAN#2 Gateway) in the web policy but can not say that he not use the upstream proxy for this web policy / firewall rule! 

    Because the upstream proxy can not be reached over wan#2. Since this is a direct internet access.

     

    Have any one a idea?

  • 0 in reply to Dienstleiter

    A slightly hacky solution, but in v18 the DPI mode does not support upstream proxy, however proxy mode does.  So you can have two firewall rules, one with and one without.

     

    XG does not currently support what is sometimes called selective upstream proxy, though SG does.  This would allow for different proxies (or no proxy) based on the destination.  It is in the feature backlog, with no planned release.