1 Reply Latest reply on Feb 12, 2014 9:01 AM by malware-alerts

    Transparent Router triggers "address spoofing" alerts on FW

    malware-alerts

      Synopsis:

       

      • Running 2x MWG 7.3.2 in transparent router mode with VRRP for failover.
      • MWGs are 'sandwiched' between ISA proxy and Internet firewall.
        • MWG VIP (on eth0 for both) is gateway for ISA proxy
        • Internet FW is gateway for MWGs (on eth1 for both)
          • Just to make clear: both MWGs have 2 legs each (eth1 running 'internal' VIP facing the outbound ISA interface and eth0 facing FW interface)
      • Browsers are configured to hit an internal LB VIP that sends them to the ISA proxies.
        • Both ISA servers are 2 legs as well, internal leg facing the LB and external leg facing the MWG VIP.

       

      To make things a bit easier to understand:

       

         {internet}

                 |

               FW

                 |

              /     \

      MWG1  MWG2

              \     /

              [VIP]

             /       \

      ISA1      ISA2

             \       /

              [LB]

                 |

              Wks                        

       

       

      Problem:

       

      • When browsers are pointed to ISA proxy, the internet FW triggers 'address spoofing' alerts when proxy is performing 'GET' request to external website.
        • In a TCP trace, I can see the original 'CONNECT' is being intercepted by MWG (spoofing the external website address as per design) but subsequent GET requests are sent directly from the ISA proxy to the FW, thus triggering 'address spoofing' alerts (I'm assuming it is because the FW is expecting subsequent packets to be sent from originating IP (MWG) instead of coming from the Proxy?) 

       

       

      I read the great document about Transparent implementations vs Direct Proxy and I do understand that the traffic coming out of the ISA proxies will be intercepted by the MWG (which will spoof the requested web site IP address on the initial CONNECT) but I'm wondering if it's normal to trigger the 'address spoofing' prevention of the FW or if it's something I'm doing wrong in my implementation? I'm assuming simply disabling this feature (address spoofing detection) for the ISA 'external' subnet would work, but I need to confirm this before proceeding.

       

      I'm also thinking of simply going the "upstream proxy' way (configure the ISAs to use the MWG as an upstream proxy) but I've had a bad experience in the past with a similar implementation using ISA (not involving MWG though) so I would rather go the transparent router way if I have the choice.

       

      NOTE: No need to tell me transparent implementation is not the best option out there, I already am painfully aware of that. For reasons outside of my control I need to get this transparent implementation working before redoing the web browsing architecture and going the direct proxy route on the MWG while getting rid of the soon-to-be-unsupported ISA servers...

       

      Thanks for the help!