Web Gateway Cloud Service: Configuring Site-to-Cloud Traffic Redirection (IPSec)

Version 10

     

    Introduction

    With the December 2016 release of the Web Gateway Cloud Service site-to-cloud traffic redirection is now supported. Site-to-Cloud traffic redirection is made possible by using IPSec tunnels. This allows remote offices to securely redirect web traffic to the Web Gateway Cloud Service for filtering and policy enforcement.

     

    Concept

    Your on-premise firewall or router use policy based routing to send all externally bound web traffic (80, 443) over an IPSec tunnel to the Web Gateway Cloud Service to be filtered according to your organization's web policy.

     

    IMPORTANT: Only externally bound port 80 and 443 traffic should be forwarded over the IPSec tunnel. Any other traffic forwarded may be dropped on the other side of the tunnel.

     

     

    Configuration

    Below we'll go over the basics of what you'll need in order to get your IPSec tunnel configured. We'll need information about your network like external IPs and internal subnet ranges. This information will be added in ePO Cloud so that the Web Gateway Cloud Service can identify your connections and assign the right policy. Once the Web Gateway Cloud Service is configured we can setup the IPSec tunnel in your on-premise firewall or router. This guide will include basic information to get the IPSec tunnel configured on your device, and vendor specific guides will be posted as they are written.

     

    Gather network information

    To configure the Web Gateway Cloud Service, we need your external IPs and your internal subnet ranges. Contact your network team if you have a number of IP ranges your organization owns, or simply ask Google "What is my IP?" if you have a single IP you want to test with.

     

    Configure the Web Gateway Cloud Service

    Now that you have your external IP and internal subnet, we can configure the Web Gateway Cloud Service. We will need to create a site-to-site definition in the authentication settings within ePO Cloud. We will need to give the cloud service four things:

      1. Site-to-Site Name - Helps you remember what location or office the definition is for.
      2. External IP - The Web Gateway Cloud Service uses this to identify any incoming IPSec connections in order to tie them to your settings.
      3. Local Network - This is used so the Web Gateway Cloud Service knows how to properly handle connections from your remote network.
      4. Pre-Shared Key - A shared key between the Web Gateway Cloud Service and your on-premise edge device who initiates the IPSec communication. You define this yourself and set it on your on-premise firewall or router.

     

     

    Determine closest PoPs

    To determine where you'll be redirecting traffic, you first need to find the IPs of the closest Web Gateway Cloud Service points of presence (PoPs) to your location. To find this, perform a DNS lookup using the following commands, and replace XXXXXXXXX with your customer ID. Be sure to perform the nslookups from the environment where the IPSec tunnel will be configured.

      • Closest PoP
        • nslookup 1.network.cXXXXXXXXX.saasprotection.com
      • 2nd closest PoP
        • nslookup 2.network.cXXXXXXXXX.saasprotection.com

     

    This will give you the first and second closest points of presence. Take note of the IPs for later steps.

     

     

    Configure On-Premise Firewall/Router

    Once the Web Gateway Cloud Service is configured, it's ready to accept traffic from your network. Now we'll need to configure the on-premise device (firewall or router) to actually perform the traffic redirection. Below are details needed for configuring the IPSec tunnel and not policy based routing.

     

    IMPORTANT: As noted above, policy based routing is not covered below. After configuring the IPSec tunnel, only external bound port 80 and 443 traffic should pass through through the IPSec tunnel. This configuration varies from device to device, but is required for good user experience.

     

    IKE Phase 1

    Details about phase 1:

        • Key Exchange (IKE) Version: 2
        • Remote Gateway: [Enter IP of closest PoP, example: 185.125.227.1]
        • Lifetime: 28800 seconds (8 hours)
        • Authentication
          • Method: Mutual Pre-Shared Key (PSK)
          • Identifier: [Your external IP address]
          • Peer Identifier: Peer IP address
          • Pre-Shared Key: [Use corresponding Pre-Shared Key configured in ePO Cloud]
        • Encryption
          • Encryption Algorithm: AES (128 bits*, 192 bits, 256 bits)
          • Hashing Algorithm: SHA2 (SHA256*, SHA384, SHA512)
          • Diffie-Hellman (DH) Group: 2 (1024 bit), 5 (1536 bit)*, 14 (2048 bit), 16 (4096 bit)

     

    * Represents recommended setting.

     

    IKE Phase 2

    Details about phase 2:

        • Local Network: [Your local subnet]
        • NAT Translation: [Your local subnet]
        • Remote Network: 0.0.0.0/0
        • Enable Perfect Forward Secrecy
        • Lifetime: 28800 seconds (8 hours)
        • SA/Key Exchange
          • Protocol: ESP
          • Encryption Algorithms: AES (128 bits*, 256 bits, 512 bits)
          • Hashing Algorithms: SHA256*, SHA384, SHA512
          • Diffie-Hellman (DH) Group: 2 (1024 bit), 5 (1536 bit)*, 14 (2048 bit), 16 (4096 bit)

     

    * Represents recommended setting.

     

    Failover IPSec Connection

    Repeat the above steps for the 2nd closest PoP that was noted when we determined the closest PoPs.

     

     

    Documented Devices

    There is a number of devices that McAfee has configured with the IPSec tunnel to the Web Gateway Cloud Service.