I searched the community and Google already but couldn't find anything regarding this Situation, so I hope to find an answer to this here.
Customer A wants to route the application "Teamviewer" through his proxy infrastracture out to the Internet. Every client and server can only communicate through the explicit proxy. The current webproxy infrastructure is beeing replaced by Web Gateways at the moment, which offer much more granular control over the traffic then the current solution. Unfortunately the architecture of the customers network has some drawbacks which they now try to overcome via the Web Gateways. The architecture is also the reason why allowing Teamviewer is not that easy.
See the actual communication chain first:
Client (Teamviewer) > Firewall1 > Web Proxy > Firewall2 (Hide NAT Proxy) > IPS (Blocks all Teamviewer traffic coming from NAT address) > Internet
As you can see, any traffic coming from the proxy to the internet is routed throug Firewall2 which hides the real proxy IP behind a NAT address. The following IPS System does not offer much logic and just blocks all traffic coming from the proxies NAT address to the public teamviewer networks.
Now there are several possibilities to overcome this issue, but we want to make sure if the following is technically possible with Web Gateway or not.
- Detect application "Teamviewer" as an actual appliaction in the Web Gateway ruleset (should be possible)
- Route the traffic over another network Interface (eth2) via the ruleset and hide the proxy behind a different NAT address on Firewall 2 (Is this possible?)
- No policy enforcement for this particular NAT IP address on the IPS
The communication would look like this:
- Client (Default Traffic) > Firewall1 > Web Proxy (eth1) > Firewall2 (Hide NAT for Proxy) > IPS (Enforce normal IPS policies) > Internet
- Client (Teamviewer) > Firewall1 > Web Proxy (eth2!) > Firewall2 (different Hide NAT for Proxy) > IPS (No policy enforcement for this NAT address) > Internet
Is there the opportunity to do this? Please do not offer different solutions like Routing/NATing it differently or changing the IPS ruleset, we know that there are more solutions but need to know the feasibility of this particular technical feature for the project.
Thank you very much in advance,