This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Progression fo checking using WEB Proxy

So what is the progression of checks/filters/etc when activating the use of Web Filtering?

AT our Central ASG site I have 8 network segments defined. I wish to force all internet bound network traffic (http/s, ftp, etc.) for four of these network segments through the Web proxy.

We do not have a directory server currently defined so I have setup the web proxy into Standard mode running on port 3228 and setup a PAC file on the ASG proxy page.

So My question is does the packet filters take priority over the web filters or or is it the other way around? I want to ensure that any computer without a proxy setup cannot get off the network before setting up the proxy settings. So far it looks like if I am not using the proxy settings, I can still exit the network bypassing the proxy filters.

This thread was automatically locked due to age.

Parents

0 skydiver over 15 years ago

Thanks.  I need to see how my rules are being applied.  I am a little confused in a hub-spoke remote office config how to direct only certain network segments to come through the central hub then our through the proxy for internet.

So at the remote ASG's I need to start thusly (please check my work)
Remote office:
Networks defined 10.10.10.0/24 and 10.15.10.0/24
ASG device IP 10.10.10.1
Central Office:
Networks defined 10.10.2.0/24 and 10.15.2.0/24
ASG device IP 10.10.2.1
http proxy running on 10.10.2.1

From the remote office I want all 10.10.10.0 traffic to come through central hub ASG and routed accordingly (may need to traverses central hub to remote office 2 10.10.11.0).  Any internet bound traffic needs to be directed through http proxy on central ASG.

Remote Office 10.15.10.0 should go directly to Internet from remote ASG
Assumptions:
IPSEC tunnel exists and is pingable from all remote locations on the 10.10.0.0 network.

Packet Filter Rules:
At remote location:
Packet Filter Rule 1: Allow 10.15.10.0-->ANY-->ANY
Packet Filter Rule 2: Allow 10.10.10.0-->ANY-->10.10.2.1

At central location:
http proxy allow: 10.10.0.0/16

NO Packet Filter rules for 10.10.0.0 to ensure all outbound all traffic is forced through web proxy?

If I had an allow of certain traffic defined by packet rule and a deny by proxy would it be allowed of denied?  based on your progression above it would be denied but not good practice.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 skydiver over 15 years ago

Thanks.  I need to see how my rules are being applied.  I am a little confused in a hub-spoke remote office config how to direct only certain network segments to come through the central hub then our through the proxy for internet.

So at the remote ASG's I need to start thusly (please check my work)
Remote office:
Networks defined 10.10.10.0/24 and 10.15.10.0/24
ASG device IP 10.10.10.1
Central Office:
Networks defined 10.10.2.0/24 and 10.15.2.0/24
ASG device IP 10.10.2.1
http proxy running on 10.10.2.1

From the remote office I want all 10.10.10.0 traffic to come through central hub ASG and routed accordingly (may need to traverses central hub to remote office 2 10.10.11.0).  Any internet bound traffic needs to be directed through http proxy on central ASG.

Remote Office 10.15.10.0 should go directly to Internet from remote ASG
Assumptions:
IPSEC tunnel exists and is pingable from all remote locations on the 10.10.0.0 network.

Packet Filter Rules:
At remote location:
Packet Filter Rule 1: Allow 10.15.10.0-->ANY-->ANY
Packet Filter Rule 2: Allow 10.10.10.0-->ANY-->10.10.2.1

At central location:
http proxy allow: 10.10.0.0/16

NO Packet Filter rules for 10.10.0.0 to ensure all outbound all traffic is forced through web proxy?

If I had an allow of certain traffic defined by packet rule and a deny by proxy would it be allowed of denied?  based on your progression above it would be denied but not good practice.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data