Open with table of contents

Configure Proxy Mode

This topic describes the steps you need to take to configure the proxy mode on your router and Web Gateway.

To set Explicit mode

1. From the Home page, click System > Proxy Mode.

   The Proxy Mode page is displayed.

2. In the Proxy Mode dialog click, Click here to change these settings.
3. Clear the Enable Transparency check box button and click Save.

Client applications will need to have a proxy set explicitly.

To set Transparent mode

The following transparent modes are available:

• Policy Based Routing (PBR)
• Web Cache Control Protocol (WCCP)

Both modes require that you need a router on your network that has been configured to use the particular mode. For WCCP, the router must be a CISCO router that supports WCCP.

Tell me about...

• The steps I need to take to set up transparent PBR mode

  To configure PBR on your router and Gateway you need to do the following:

  1. Create one or more Access List to specify what the router should do with the traffic.
  2. Define a route map on the interface to control where data packets are output.
  3. Specify the match criteria to match the source and destination IP address that is permitted by the access lists.
  4. Specify the action to be taken on packets that match the criteria.
  5. Specify the output interface for the matched traffic.
  6. Enable the route map on the interface.
  7. Configure the Proxy Mode on the Gateway to use PBR.

  These steps are described in the Show me.... section of this topic.

• The steps I need to take to set up transparent WCCP mode

  To configure WCCP on your router and Gateway you need to do the following:

  1. Decide which routers and Gateways will work together.
  2. Enable WCCP and define the service group on the router.
  3. Enable WCCP on the interface.
  4. Configure the Proxy Mode on the Gateway to use WCCP.

  These steps are described in the Show Me... section of this topic.

• The Gateway Transparent mode settings

  The following table details the configuration options for Transparent mode:

  UI Dialog	UI Option	Description	Mode
  WCCP V2 Settings	WCCP Service ID	Identifier for the service as configured on the router.	WCCP
  	Router IP Addresses	IP address of the router. Multiple IP addresses need to be separated with a comma.
  	Router Tunnel IP Address	Source IP address of the tunnel router.
  	Router Password (optional)	Optional password for the router.
  	Confirm Password	Optional password for the router.
  Port Interception	HTTP ports to be intercepted	HTTP ports that you want to be intercepted. Port 80 is typical for HTTP traffic and is the default value. Multiple port values need to be separated with a comma. Note: Changes to this value will automatically update the router.	Both
  	HTTPS ports to be intercepted	HTTPS ports that you want to be intercepted. Port 443 is typical for HTTPS traffic and is the default value. Multiple port values need to be separated with a comma. Note: To allow traffic through the chosen port, you will need to add it under Allowed Outbound HTTPS Ports on the Listening Ports page. Note: Changes to this value will automatically update the router.
  	Network Interface Card	The network interface card to use. A drop-down list is displayed if multiple values are detected.
  	Non-HTTPS traffic will be streamed or blocked	Block or stream non-HTTPS traffic. If the traffic is streamed, policy will not be applied.
  Local Server Settings	HTTPS Block Page and Secure Authentication port	Port to use for authentication and block pages. We recommend that you use the default setting of 8444.	Both
  	HTTPS Certificate Bypass port	Port to use if you are allowing certificateA digital means of proving your identity. When you send a digitally-signed message, you are sending your certificate and public key. Certificates are issued by a certification authority and can expire or be revoked. bypass. We recommend that you use the default setting of 9102.
  	Local Server Hostname Type	Specify the hostname type to resolve the local server name. For example, to display a fully qualified hostnames use DNS. This option might be dictated by your organizations infrastructure. You can use the Custom option to specify a host name that is listed in a local host file.
  Transparent Authentication	Purge Time	The duration in minutes for which the user will not have to re-authenticate for a given request.	Both
  	Authentication Type	Specify the use of an IP address or cookie as the authentication method. We recommend that you use IP address authentication if you are using Internet Explorer.See note.
  Diagnostics	Enable diagnostics	Disabled by default. Enabling diagnostics will send data to the Proxy Diagnostic Port. You should use this feature on the advice of Clearswift Support staff.	Both
  	Proxifier Logging Level

  Transparent Authentication Type Using cookies has the advantage over using an IP address for the following reasons: Cookies are stored for each user. Therefore, if multiple users use the same machine, they will be treated as separate users as opposed to a single IP address If NATing is used, the IP address could change when traffic flows through the NATing device and would cause all users to have the same IP address. This problem does not occur with cookies If DHCP is used, the IP address of a client has no impact on the cookies being used

• Transparent Authentication and third-party cookies

  If you choose to use cookies as your method of transparent authentication you will need to ensure that third-party cookies are enabled on client browsers.

  Depending on the browser, third-party cookies might be enabled by default:

  • Firefox

    Third-party cookies are enabled by default.

    Configuration is found under Options > Privacy > History > Accept third-party cookies

  • Chrome

    Third-party cookies are enabled by default.

    Configuration is found under Settings > Show advanced Settings... > Privacy > Content settings... > Block third-party cookies and site data

  • Internet Explorer (IE)

    Third-party cookies are not enabled by default. To enable them, we recommend that you add the trusted domain to the list of managed sites. When this is done the browser will accept all third-party cookies that are generated by the domain set. Show me how to enable third-party cookies.

    These steps apply when using IE 9. While adding the authentication domain is required for all supported versions of IE, the actual steps might differ for different versions of the browser.

    1. From the browser, click Internet options.
    2. Select the Privacy tab and click Sites.
    3. Enter the domain in the Address of website text field and click Allow.
    4. Click OK.

• WCCP Service Groups

  A service group unites one or more routers with one or more Gateways in a transparent redirection scheme. Gateways and routers communicate with each other by a series of "Here I Am" and "I See You" messages that include the description of the service group the Gateway wants to join, redirection methods, load balancing considerations, and WCCP capabilities.

  The service group configuration defines what type of traffic the routers in the group should intercept and how the intercepted traffic should be handled. To accommodate the various types of services available, multiple service groups are available and are referenced by an ID number. For example, the following tables lists Cisco predefined values. :

  Service ID	Port	Traffic Type
  0	80	HTTP
  70	443	HTTPS

Show me...

• A PBR configuration and the steps I need to take to enable it

  The following example shows a PBR configuration, and details the steps you need to take enable it. Steps in the commands match the diagram annotations and you will need to modify your command values for your local configuration accordingly.

   

  

  As a prerequisite for PBR, you must ensure that you have end-to-end connectivity. For example, the client should be able to ping the proxy and the proxy should be able to ping the server. If you are scanning HTTPS content, you must be able to resolve the server at the client and Gateway. A full description of ACLs is beyond the scope of this help. See your router documentation for detail on configuring ACLs. Consult your router documentation for further detail on PBR configuration.

  Router configuration

  1. General router setup

     From the router console, type the following:

     enable
     sh ver
     config terminal
     hostname router1
     line con 0
     logging syn
     exit						

  2. Configure the router interfaces with the IP address and subnet mask.

     From the router console, type the following:

     int fa 0/0
     ip address 10.0.0.1 255.255.255.0
     no shutdown
     exit

     int fa 1/0
     ip address 79.123.16.1 255.255.255.240
     no shutdown
     end
     copy run start
     

  3. Create an Access Control List (ACL)

     From the router console, type the following:

     conf term
     access-list 100 deny tcp host 10.0.0.2 any
     access-list 100 permit tcp any any eq www
     access-list 100 permit tcp any any eq 443
     access-list 100 deny tcp any any
     

  4. Specify the routing policy

     From the router console, type the following:

     route-map pbr permit 10
     match ip address 100
     set ip next-hop 10.0.0.2
     exit
     int fa 0/0
     ip policy route-map pbr
     end
     copy run start
     

  Gateway configuration

  1. From the Home page, click System > Proxy Mode.

     The Proxy Mode page is displayed.

  2. In the Proxy Mode dialog click, Click here to change these settings.

  3. Check the Enable Transparency box and apply the following settings in the panels on the page:

     Setting	Value
     Mode	Policy Based Routing
     HTTP ports to be intercepted	80
     HTTPS ports to be intercepted	443
     Network Interface card	eth0
     Non-HTTPS traffic will be:	Streamed
     HTTPS block Page and Secure Authentication port	8444
     HTTPS Certificate Bypass port	9102
     Local Server Hostname	NetBIOS
     Purge Time	15
     Authentication Type	IP Address
     Proxifier logging level	Standard
     Enable diagnostics port	OFF

   

• A basic WCCP configuration and the steps I need to take to enable it

  The following example shows a basic WCCP configuration, and details the steps you need to take enable it. Steps in the commands match the diagram annotations and you will need to modify your command values for your local configuration accordingly.

   

  

   

  As a prerequisite for WCCP, you must ensure that you have end-to-end connectivity. For example, the client should be able to ping the proxy and the proxy should be able to ping the server. If you are scanning HTTPS content, you must be able to resolve the server at the client and Gateway. Consult your router documentation for further detail on PBR configuration.

  Router configuration

  The following commands apply to Router 1 - the WCCP router - in the diagram.

  1. General router setup

     From the router console, type the following:

     enable
     sh ver
     config terminal
     hostname router1
     line con 0
     logging syn
     exit						

  2. Configure a loopback interface on the router to use as the source address for GRE tunneling.

     From the router console, type the following:

     conf terminal
     int loop
     ip addr 192.169.1.1 255.255.255.0
     exit						

  3. Configure the router interfaces with the IP address and subnet mask.

     From the router console, type the following:

     int fa 0/0
     ip address 10.0.0.1 255.255.255.0
     no shutdown
     exit

     int fa 1/0
     ip address 79.123.16.1 255.255.255.240
     no shutdown
     end
     copy run start
     

  4. Enable WCCP on the router and specify a service group of 90.

     From the router console, type the following:

     conf term
     ip wccp 90 password        password
     int fa 1/0
     ip wccp 90 redirect out
     end
     copy run start

  Gateway Configuration

  1. From the Home page, click System > Proxy Mode.

     The Proxy Mode page is displayed.

  2. In the Proxy Mode dialog click, Click here to change these settings.

  3. Check the Enable Transparency box and apply the following settings in the panels on the page:

     Setting	Value
     Mode	WCCP
     WCCP Service ID	90
     Router IP addresses	10.0.0.1
     Router Tunnel IP Address	192.169.1.1
     Router Password	Password
     HTTP ports to be intercepted	80
     HTTPS ports to be intercepted	443
     Network Interface card	eth0
     Non-HTTPS traffic will be:	Streamed
     HTTPS block Page and Secure Authentication port	8444
     HTTPS Certificate Bypass port	9102
     Local Server Hostname	NetBIOS
     Purge Time	15
     Authentication Type	IP Address
     Proxifier logging level	Standard
     Enable diagnostics port	OFF

• A WCCP configuration with an internal router and the steps I need to take to enable it

  The following example shows a WCCP configuration that has an internal router place within the network, and details the steps you need to take enable it. Steps in the commands match the diagram annotations and you will need to modify your command values for your local configuration accordingly.

   

  

  Router configuration

  The following commands apply to Router 2 - the WCCP router - in the diagram.

  1. General router setup.

     From the router console, type the following:

     enable
     sh ver
     config terminal
     hostname router2
     line con 0
     logging syn
     exit						

  2. Configure a loopback interface on the router to use as the source address for GRE tunneling.

     From the router console, type the following:

     conf terminal
     int loop
     ip addr 192.169.1.1 255.255.255.0
     exit						

  3. Configure the router interfaces with the IP address and subnet mask..

     From the router console, type the following:

     int fa 0/0
     ip address 10.0.0.1 255.255.255.0
     no shutdown
     exit

     int fa 1/0
     ip address 79.123.16.1 255.255.255.240
     no shutdown
     end
     copy run start
     

  4. Enable WCCP with a service group of 90.

     From the router console, type the following:

     conf term
     ip wccp 90 password        password
     int fa 1/0
     ip wccp 90 redirect out
     end
     copy run start

  5. Enable RIP routing.

     From the router console, type the following:

     conf term
     router rip
     version 2
     network 10.0.0.0
     network 79.0.0.0
     no auto-summary
     end						

  Gateway configuration

  1. From the Home page, click System > Proxy Mode.

     The Proxy Mode page is displayed.

  2. In the Proxy Mode dialog click, Click here to change these settings.

  3. Check the Enable Transparency box and apply the following settings in the panels on the page:

     Setting	Value
     Mode	WCCP
     WCCP Service ID	90
     Router IP addresses	10.0.0.1
     Router Tunnel IP Address	192.169.1.1
     Router Password	Password
     HTTP ports to be intercepted	80
     HTTPS ports to be intercepted	443
     Network Interface card	eth0
     Non-HTTPS traffic will be:	Streamed
     HTTPS block Page and Secure Authentication port	8444
     HTTPS Certificate Bypass port	9102
     Local Server Hostname	NetBIOS
     Purge Time	15
     Authentication Type	IP Address
     Proxifier logging level	Standard
     Enable diagnostics port	OFF

How do I...

• Check the WCCP configuration and show logging on the router and interface?

  There are a number of router commands that you can use to check your WCCP configuration. Commands vary from router to router and we recommend that you consult your router documentation for specific examples.

See also...

• The Proxy Mode topic for an overview of the proxy modes

© 1995–2018 Clearswift Ltd.