I searched the community and Google already but couldn't find anything regarding this Situation, so I hope to find an answer to this here.
Customer A wants to route the application "Teamviewer" through his proxy infrastracture out to the Internet. Every client and server can only communicate through the explicit proxy. The current webproxy infrastructure is beeing replaced by Web Gateways at the moment, which offer much more granular control over the traffic then the current solution. Unfortunately the architecture of the customers network has some drawbacks which they now try to overcome via the Web Gateways. The architecture is also the reason why allowing Teamviewer is not that easy.
See the actual communication chain first:
Client (Teamviewer) > Firewall1 > Web Proxy > Firewall2 (Hide NAT Proxy) > IPS (Blocks all Teamviewer traffic coming from NAT address) > Internet
As you can see, any traffic coming from the proxy to the internet is routed throug Firewall2 which hides the real proxy IP behind a NAT address. The following IPS System does not offer much logic and just blocks all traffic coming from the proxies NAT address to the public teamviewer networks.
Now there are several possibilities to overcome this issue, but we want to make sure if the following is technically possible with Web Gateway or not.
The communication would look like this:
Is there the opportunity to do this? Please do not offer different solutions like Routing/NATing it differently or changing the IPS ruleset, we know that there are more solutions but need to know the feasibility of this particular technical feature for the project.
Thank you very much in advance,
How many MWGs are there? Also, how are you deployed (proxy, proxyha, router, bridge, etc...)?
Does MWG have to send it out eth2, or can we just use a different IP out eth1? I'm guessing it would give the same results because that might be what the IPS is looking for...
MWG has the ability to control the outbound IP on its way to the server. This would work by doing the following (assuming your using explicit proxy mode):
1. Define an alias IP on eth1 (configuration network interfaces):
2. Define an IP in the "Outbound Source IP list" (Configuration > Proxies > Advanced Outgoing Connection Settings):
3. Use the event "Enable Outbound Source IP Override" in your rules. You will want to do this based on something source based, like the URL, Client IP , or Application name if its detected properly. For testing, I'd start with your client IP, then graduate to others once you have the hang of it.
In the event, we're referencing the list entry from step #2. The 0 (zero) in the event below references the first item in the "Outbound Source IP list" from step #2. Referencing a list rather than a hardcoded IP allows this to scale to multiple appliances which have multiple IPs.
(don't ask me why one is zero-indexed and the other is one-indexed...)
wow thank you for this really helpful and detailed answer!
The organization uses several MWG clusters for different purposes but in this case we will have 4x MWG 5500C devices in place which are setup as Proxy-HA. Does this also work in Proxy-HA mode? I will be at customer site next week so I cannot test this out before that, so that's why I'm asking this now.
PS: I wasn't aware of the IP alias feature so I guess your suggestion is even better than sending it through a separate network interfaces. It is really amazing to how many use cases can be covered with MWG!
No problem, officially it looks like its not supported for ProxyHA. Technically though, I was able to get it to work, so your mileage may vary.
When using ProxyHA, step #2 is not an option, so my rule changed a little bit. In this case 10.10.69.172 is still an alias on eth0
If you scale this out, each appliance would need their own alias IP, and in the rules you dictate that that specific appliance uses the alias IP dedicated to itself.
mwg1 = 10.10.69.172
mwg2 = 10.10.69.173
As it scales it might look better like this:
We have a client that wants to maximize theres 3 ISP in the branch. The requirement is that web traffic will go to specific interface/ISP based on the rule set source and destination criteria:
user group A - Allow List A > ISP1
user group B - Allow List B > ISP2
user group C - Allow List C > ISP3
Thanks in advance