Trying to work through the following scenario (with support as well), and can't seem to get it to work.
All client have their browsers configured to use a pac file that routes traffic through proxy, then firewall, which works fine.
For those clients who might be able to uncheck the browser setting, we have a rule on our firewall such that if traffic is going to the internet, it much come from the proxy.
The firewall will redirect this traffic back to the proxy, back to port 9090 (as defined in the config/proxies setting). We can not seem to get this to work, the client will see all of their web requests time out if they are not using the pac file.
Support is saying that I do not need to use a L2 transport, or an ICAP server. Network setup is configured as Proxy (optional WCCP) - we do not use wccp.
any thoughts ?
What kind of firewall and how do you have the redirection working?
A simple port forwarding translation from port 80 to 9090 should work. I do this on my home firewall for my wireless network.
You will not ever get this to work with 443 unless you use some sort of L2 forwarding, like WCCP.
Keep in mind that authentication will not work in this manner. You will have to have an additional set of transparent authentication rules in place to handle auth instead of the direct proxy authentication. It is best to setup a different listening port on the proxy to distinguish which authentication you intend to use.
We are using mcafee's firewall, sidewinder for the redirection, and will be changing it to not re-direct 443 traffic.
We are not worried about authentication at this point. (basically if the user remove the pac file setting, they would get limited access) We would prefer that this traffic be handlded with a default policy like we did with version 6.8, but dont see how this is accomplished in V 7.
Do it based on the incoming port.
Your pac file users use port 9090 for example.
On the Sidewinder, just redirect the traffic to 9091, then create a policy around that port.
Hope this helps,
After running through the process described in the KB article above, we are still unable to redirect traffic back to the proxy. If we enable nat on the firewall rule, the proxy will then prompt for authentication, which is not really wanted, but at least we know some traffic is getting to the proxy...
So as I understand this, you want the routed traffic that does not have the ability to proxy to go to the firewall and have the firewall forward the traffic to an internal MWG on port 9091? The authentication that prompts is coming from MWG?
That means it's hitting the rules authetnication rules and prompting, but you want it go out un-authenticated, right? To do that, you have to put a condition on the proxy rules to only authenticate Proxy.Port = 9090. All the 9091 traffic that MWG sees will not be authenticated.
Is that what you are trying to do?
From a high level, we would like it configured such that if a user unchecks the "use pac file" in their browser, the traffic would be routed back to the proxy by the firewall, where it would not be authenticated, and it would only get the default policy. It seems that we had this set up in version 6.8. This originally came about troubleshooting gotomeeting connectivity. Packet captures showed that the gotomeeting java client ignores the pac file file and wants to go direct to firewall. We were hoping that this proxy redirect would solve this issue for us.
I would rather not mess too much with my working authentication scheme. Since the FW is now pushing traffic to the proxy over 9091, how/where do I set up the rule to have the proxy allow traffic from 9091 and not prompt for authentication. thanks