Support Doc: Transparent Bridge Explained

Version 2

     

    What is Transparent Bridge?

     

    Transparent Bridge is a deployment method on the Web Gateway appliance where the browser/client is NOT "proxy aware" and the Web Gateway is installed in-line with the network. As the Web Gateway will be placed in the physical network path, you will NOT be able to make logical (routing or otherwise) decisions on what traffic to send through the Web Gateway. ALL of your traffic will go through the Web Gateway, whether it will be filtered or not.

     

    In this document I will discuss transparent bridge scenarios with a single Web Gateway appliance, multiple Web Gateway appliances, and some transparent bridge setup considerations.

     

    Note that this article is not intended to be a step by step setup guide for transparent bridge but rather to be informational and provide assistance in pre deployment planning. There are some gotchas!

     

    Setup Considerations

     

    Transparent deployment vs. Direct Proxy

     

    Often times a transparent bridge deployment is chosen because Administrators do not want to have to make changes to the browser in order for traffic to reach the Web Gateway. Unfortunately this is a common misconception and in reality changes often DO need to be made to browsers. In addition, transparent deployments often add MORE complexity to the deployment and require more work on the Administration side. It is recommended to read this detailed description of Transparent deployment vs. Direct Proxy before making a final decision to use transparent bridge mode, https://community.mcafee.com/docs/DOC-4910.

     

    Port Redirects and exceptions

     

    The Transparent Bridge settings on the Web Gateway allow you to choose which ports get sent to the proxy.

    Web Gateway is usually only configured to scan web based traffic on the default ports 80 and 443. All traffic on other ports will simply be passed through unchanged.

     

    Since version 7.3.2, Web Gateway has the ability to add exceptions such as exempting a specific client IP or destination IP from going to the proxy.  The exceptions configuration is located in the same area where you choose which ports are sent to the proxy (Configuration >> Proxies >> Port Redirects).  This is a comma delimited list which needs to include both the IP address and the netmask.

     

    port-redirects-square.png

     

     

     

    Finalizing the setup

     

    It is very important to reboot the Web Gateway appliance once you have configured Transparent Bridge.  This will help load the proper network drivers needed for this deployment. It is also recommended to reboot the appliance when switching out of the Transparent Bridge mode to another mode such as Proxy.

     

    Transparent Bridge with a single appliance

     

    When you are using the Web Gateway in a transparent bridge setup, it should be noted that it is now in-line, and you will be unable to physically get around the Web Gateway.  The Web Gateway allows you to choose which traffic (ports) actually get forwarded to the proxy and rule engine, but if a port is not configured to go to the proxy and rule engine, it is still physically going through the appliance since the appliance is in-line with the network.

     

     

    MWG-In-Line.png

     

     

    Single Point of Failure

     

    When making considerations on how many appliances you are implementing, it is important to utilize more than one Web Gateway appliance.  Having one appliance can introduce a single point of failure, so that if the appliance goes down, traffic will be interrupted. If you have at least one other appliance, then the other appliance can act as a failover device in the event of one of the appliances going down.

     

    Fail-Open Kit

     

    If you are in a situation where only a single appliance in transparent bridge mode is possible, we highly recommend that you consider purchasing a Fail-Open Kit from McAfee. More details about the setup of the kit can be found here: https://kc.mcafee.com/corporate/index?page=content&id=KB73798

    Fail-Open Kits can also be useful in deployments with multiple appliances to prevent any kind of traffic disruptions.

     

     

    Transparent Bridge with multiple appliances

     

    Using multiple appliances is the recommended setup in a transparent bridge deployment, but there are a few considerations to factor in when setting this up.  When multiple Web Gateways are used in a transparent bridge setup, web traffic will be load-balanced between each node. The secondary appliance will not solely work as a failover device, it will receive and handle web traffic.

     

    Transparent Bridge Basics (Multiple appliances):

     

      • Load-balancing: One Web Gateway appliance is deemed a 'director' and is responsible for deciding which appliance will serve each web request.
      • Only one appliance can be a director at a time.
      • All Web Gateways need to be able to communicate with one another for load-balancing and communicating director status.
      • Web Gateway uses the Spanning Tree Protocol, which is already enabled in the OS, to communicate the director status and provide a health check amongst other nodes. There are no configuration options needed for STP on the Web Gateway.
      • The Spanning Tree protocol cannot be enabled on any switches to which the Web Gateway is directly connected.

     

    Spanning Tree (STP)

     

    STP is a technology that is used on most switches.  The use of spanning tree on switches, simply put, is to find the loop in the network and shut down the port, resulting in a single path. This will present a problem with communication between Web Gateway appliances. The Web Gateways need to be able to communicate with one another to establish director status and assign which appliance handles each web request.

     

    Note: If spanning tree is enabled on the switches the Web Gateways are directly connected to, it is highly likely that necessary ports for communication amongst the Web Gateways will be shutdown. Once this occurs, the Web Gateways will no longer know about each other, which will then result in both of them acting as the director node---effectively stopping all traffic. See the example scenario below for more details.

     

    Example: Spanning Tree enabled on connected switches will cause ports to be shut down :

     

     

    Network-Outline.png

     

     

     

    For this example there are 2 Web Gateways setup in Transparent Bridge mode. As shown in the figure above, each Web Gateway is connected to an inbound switch and an outbound switch.

     

    MWG Node 1 is connected to the Inbound Switch on Port A

    MWG Node 1 is connected to the Outbound Switch on Port G

     

    MWG Node 2 is connected to the Inbound Switch on Port B

    MWG Node 2 is connected to the Outbound Switch on Port H

     

    When Spanning Tree is enabled on the the connected switches, ports A, B, G, H are all subject to being shut down on the switches.

     

    For this example, lets assume that Port B was shut down.

     

        • From the inbound\outbound switch's perspective everything is good as there are no loops in the topology.

     

        • From the Web Gateway's perspective, because Port B is shut down, MWG Node 1 can no longer communicate director status with MWG Node 2 (via Spanning Tree).  In this scenario, both Web Gateways will take ownership and set themselves as the director node.  This will interrupt traffic and prevent Web Gateway from filtering.

     

     

    Requirements

     

    In order to use a deployment of Transparent Bridge with Multiple appliances, you will be need to take one of the following actions below:

     

        • Option 1 is to completely disable Spanning Tree on the switches directly connected to the Web Gateways. This will allow the Web Gateways to communicate properly. Note: If other devices are also using these switches, then it is recommended to use Option #2 below.

     

        • Option 2 is to introduce a basic switch without STP, that the Web Gateways are connected to, so that Spanning Tree on the inbound/outbound switches does not interfere with the communication between Web Gateway appliances. Introducing a basic switch between the core switches introduces an extra layer that will prevent needed switching paths from being shutdown.

     

    Example: Introduce a switch that sits between the Web Gateways and both the Inbound/Outbound Switches:

     

     

    Basic_Switch.png

     

     

     

     

    Summary Checklist

     

    • In a Transparent Bridge setup, your Web Gateway is in-line with the network.  This can make administration difficult.
    • Recommended to use multiple Web Gateway appliances if you choose this deployment type.
    • Reboot the Web Gateway appliance after configuring it in and out of Transparent Bridge mode.
    • When using Transparent Bridge mode with multiple Web Gateway appliances, it is required to disable Spanning Tree on switches directly connected to the Web Gateways or introduce a basic switch without STP to ensure the Web Gateways can communicate.