My EXTREME apologies if this is covered elsewhere, but google searches, forum searches, and almost complete memorization of the admin guide have not been fruitful...
Or maybe I'm just not seeing it.
We have been directed to implement a network solution where two Bluecoat Proxy Servers are behind two Sidewinders. The entire internal network (6000+ clients) is not routable; we have a single class C that is routable, of which I have 62 IPs.
The configuration I'm looking at is either A:
Clients -> 80/443 traffic -> WCCP to the Bluecoats -> Bluecoats NAT (non-routable Burb IP), proxy, accelerate, cache -> Sidewinder (web burb) -> HTTP/HTTPS proxy -> Sidewinder NATs to external Cluster IP (routable) -> Web
Clients -> 80/443 traffic -> WCCP to the Bluecoats -> Bluecoats NAT (non-routable Burb IP), proxy, accelerate, cache -> Sidewinder (web burb) -> 80/443 Packet Filter -> Sidewinder NATs to external Cluster IP (routable) -> Web
Hmmm...might be clearer to actually give IPs:
Clients (192.168.X.X) -> Bluecoats (internal 192.168.X.X, external 172.16.80.X) -> Sidewinder (web burb 172.16.80.X, external 140.32.16.X address)
OK, diagram attached.
I realize we are NATing twice -- if I don't, the proxies won't cache (for some reason).
So, my problem: Outbound traffic flows fine -- well, mostly fine, we get some SSL errors, (Not valid HTTP or SSL negotiation: SSL V2) but those are known...
What I am seeing is hundreds and hundreds of return errors: For example, an HTTP request goes out (to google.com, for example):
- I see it flowing from the internal network, to the proxies, out the proxies (NATed), to the firewalls, out the firewalls (NAted again), and to the internet.
- The return packet (going to the external cluster IP) is blocked, through -- error message:
date="Feb 14 13:39:36 2011 MST", fac=f_kernel_ipfilter, area=a_nil_area, type=t_attack, pri=p_major, pid=0, ruid=0, euid=0, pgid=0, logid=0, cmd=kernel, domain=, edomain=, hostname=firewall1, category=policy_violation, event=IPv4 packet discarded by rule, srcip=220.127.116.11, srcport=80, srcburb=External, dstip=18.104.22.168, dstport=9754, protocol=6, rule_name="Deny All",reason="This IPv4 packet was discarded because it matched an IP filter drop or deny rule."
What am I doing wrong? I have a rule to allow the proxy servers to talk to the internet via the HTTP/HTTPS proxy service on the firewalls...is that not bidirectional?
Is there a better way to do this?
Thanks LOADS for any help you can provide....I am stumped!
Proxy - Firewalls.pdf 78.5 K