How will I set the following:
Transparent Proxy in Router mode
1.) Do I need to have 2 nic's enabled? What would I set in the nic's ip if
1.) Firewall local IP is 192.168.1.1, if there would be 2 nic's what would be the nic 1 and what IP would I set in nic 2?
a.) What would be the gateway of nic 1 and nic 2? Please give me example
Transparent Proxy in Bridge mode
1.) How many nic's do I need to set?
2.) Please give me an example diagram
How will I set WCCP if we have routers in 2 branches will I redirect the port 80/443 to webgateway for filtering to enable it?
What are other things I need to enable the WCCP setup?
Thank you guys.
you should have a quick look into the product guide, starting on page 95. It gives some brief overview about the proxy modes and how to set them up. I do not think that it answers all questions, but maybe gives a good start.
I will try to show how I understand the proxy modes (which does not mean that these are the only useful deployment methods!):
1.) Transparent Router
LAN Computer ---> MWG ---> Firewall ---> Internet
In a "normal" environment I would have two NICs on MWG. In case the LAN uses a network 172.16.64.0/16 my LAN PC would have the following network configuration as an example:
In this case I would have one NIC on MWG configured to the IP 172.16.64.1/16. So MWG becomes the default gateway for my network. I would configure a second NIC to 192.168.1.2 and set the default gateway on MWG to 192.168.1.1. MWG can only have ONE gateway, which should point to its way to the internet.
So a client now starts browsing, sends all traffic to MWG, MWG forwards it to the firewall, the firewall forwards it to the internet and vice versa.
It should also be possible to use only one NIC and have the firewall and MWG both acting as routers in the same network, but a router with only one interface does not make too much sense. If you want to keep all networks transparent bridge might be a better choice.
You will need two NICs. Basically you treat MWG like a smart, filtering network cable. An example may look like this:
Client Computer ---> Switch ---> Router (Firewall) ---> Internet
With MWG you just have to hook MWG into the environment:
Client Computer ---> Switch ---> MWG ---> Router (Firewall) ---> Internet
For example you could remove the Firewall from the switch port it currently uses, plug MWG into this port with NIC1 and plug NIC2 to the Firewall interface which was in the switch before (no warranty that this works - I think it should).
Clients have the firewall IP as their default gateway. When they talk to the default Gateway all traffic passes MWG . Everything that is not related to HTTP will go into NIC1 and leave via NIC2, just like it would pass a network cable. Everything related to HTTP will be intercepted by MWG. MWG will need one IP address, which could be bound to a third interface or assigned to the bridge itself to allow talking to the internet and being maintained.
No clue about WCCP. There are some WCCP experts around here.
2.) How can the traffic pass through webgateway if the default gateway is the firewall? I still don't get it.
Also, If the webgateway is down, would there still be internet or would the communication will be down also?
The client talks to the firewall because the firewall is its default gateway. MWG is deployed as a bridge and is placed between the client and the firewall. When the client sends his packets to the firewall they physically pass MWG, and MWG picks up the packets it is interested in. As mentioned in the bridge mode MWG acts and feels like a network cable, so no need to think about IP addresses, you just put MWG physically between the clients and the current default gateway. There are various options to achieve this.
If this is a network (very simple):
The red cable connects the LAN with the firewall (physically). This is where we could put in an MWG in bridge mode, like this:
MWG has two NICs, eth0 and eth1. In Bridge mode they do not require an IP address, basically both interfaces act as a bridge, which means that everything you send (physically!) into eth0 comes out again on eth1 and everything you sent into eth1 comes out again on eth0.
MWG will pass all traffic untouched unless it is HTTP(s) traffic. In this case it will be intercepted and passed through the proxy.
In this bridge mode MWG still needs at least one IP (could be 192.168.1.2 in the example network) either on a third interface or on the bridge itself. This is required to allow MWG to talk to the Firewall (and internet), and to maintain it.
In case MWG dies network communication will be interrupted. We have a failover kit which allows to bypass the bridge when the process is down.