I would like to seek your recommendation on the type of deployment to be used and the ideal placement of the MWG on the attached file. Client requirement is access ontrol and filtering using a dedicated web gateway.
i cannot see anything special on your Enviroment.
So i'd suggest to establish a webgateway on a demilitarized zone, that is accessible by Firewall Rule from internal users and from umanaged devices.
For unmanaged devices you'll probably have to insert a transparent Proxy on your firewall that routes incoming requests on tcp/80 and tcp/443 to the webgateway.
Until here, this is no rocket science and a common scenario i've realized for many of our customers.
Thanks Marcus. This is the detail of the requirement specific subnet from the internal user must connect to a specific IP address of MWG and goes out to specific ISP is it feasible ?
this would be a question for your firewall supporter.
Lets assume all ISPs are directly associated to your firewall. Your internal net is 192.168.1.1/24, and the DMZ which contains the MWG is 192.168.2.1/24. The Firewalls gateway IP on the DMZ is 192.168.2.1, the MWG has 192.168.2.250
Basically the MWG acts as a Proxy listening by default on Port 9090 on 192.168.2.250. So you have to configure the use of a proxy on 192.168.2.250:9090 for the internal clients.
Based on the MWGs Ruleset, it forwards the request to the firewall (= Default GW =192.168.2.1) that routes it to the internet.
So it is up to Your firewall to decide which ISP to use for this connection. If your firewall is capable of policy based routing, you may establish a rule to use a certain ISP for the Webgateway.