4 Replies Latest reply on Jan 4, 2017 5:50 PM by Jon Scholten

    Route specific traffic over dedicated network interface in Web Gateway via ruleset

    nicolas.wehmeyer

      Hello everyone,

       

      I searched the community and Google already but couldn't find anything regarding this Situation, so I hope to find an answer to this here.

       

      Customer A wants to route the application "Teamviewer" through his proxy infrastracture out to the Internet. Every client and server can only communicate through the explicit proxy. The current webproxy infrastructure is beeing replaced by Web Gateways at the moment, which offer much more granular control over the traffic then the current solution. Unfortunately the architecture of the customers network has some drawbacks which they now try to overcome via the Web Gateways. The architecture is also the reason why allowing Teamviewer is not that easy.

       

      See the actual communication chain first:

      Client (Teamviewer) > Firewall1 > Web Proxy > Firewall2 (Hide NAT Proxy) > IPS (Blocks all Teamviewer traffic coming from NAT address) > Internet

       

      As you can see, any traffic coming from the proxy to the internet is routed throug Firewall2 which hides the real proxy IP behind a NAT address. The following IPS System does not offer much logic and just blocks all traffic coming from the proxies NAT address to the public teamviewer networks.

       

      Now there are several possibilities to overcome this issue, but we want to make sure if the following is technically possible with Web Gateway or not.

      1. Detect application "Teamviewer" as an actual appliaction in the Web Gateway ruleset (should be possible)
      2. Route the traffic over another network Interface (eth2) via the ruleset and hide the proxy behind a different NAT address on Firewall 2 (Is this possible?)
      3. No policy enforcement for this particular NAT IP address on the IPS

       

      The communication would look like this:

      • Client (Default Traffic) > Firewall1 > Web Proxy (eth1) > Firewall2 (Hide NAT for Proxy) > IPS (Enforce normal IPS policies) > Internet
      • Client (Teamviewer) > Firewall1 > Web Proxy (eth2!) > Firewall2 (different Hide NAT for Proxy) > IPS (No policy enforcement for this NAT address) > Internet

       

      Is there the opportunity to do this? Please do not offer different solutions like Routing/NATing it differently or changing the IPS ruleset, we know that there are more solutions but need to know the feasibility of this particular technical feature for the project.

       

      Thank you very much in advance,

      Nicolas Wehmeyer

        • 1. Re: Route specific traffic over dedicated network interface in Web Gateway via ruleset
          Jon Scholten

          Hi Nicolas,

           

          How many MWGs are there? Also, how are you deployed (proxy, proxyha, router, bridge, etc...)?

           

          Does MWG have to send it out eth2, or can we just use a different IP out eth1? I'm guessing it would give the same results because that might be what the IPS is looking for...

           

          MWG has the ability to control the outbound IP on its way to the server. This would work by doing the following (assuming your using explicit proxy mode):

           

          1. Define an alias IP on eth1 (configuration network interfaces):

              

           

          2. Define an IP in the "Outbound Source IP list" (Configuration > Proxies > Advanced Outgoing Connection Settings):

           

              

           

          3. Use the event "Enable Outbound Source IP Override" in your rules. You will want to do this based on something source based, like the URL, Client IP , or Application name if its detected properly. For testing, I'd start with your client IP, then graduate to others once you have the hang of it.

           

          In the event, we're referencing the list entry from step #2. The 0 (zero) in the event below references the first item in the "Outbound Source IP list" from step #2. Referencing a list rather than a hardcoded IP allows this to scale to multiple appliances which have multiple IPs.

           

          (don't ask me why one is zero-indexed and the other is one-indexed...)

           

           

          Hope this helps!

           

          Best Regards,

          Jon

          1 of 1 people found this helpful
          • 2. Re: Route specific traffic over dedicated network interface in Web Gateway via ruleset
            nicolas.wehmeyer

            Hi Jon,

             

            wow thank you for this really helpful and detailed answer!

             

            The organization uses several MWG clusters for different purposes but in this case we will have 4x MWG 5500C devices in place which are setup as Proxy-HA. Does this also work in Proxy-HA mode? I will be at customer site next week so I cannot test this out before that, so that's why I'm asking this now.

             

            PS: I wasn't aware of the IP alias feature so I guess your suggestion is even better than sending it through a separate network interfaces. It is really amazing to how many use cases can be covered with MWG!

             

            Best regards,

            Nicolas

            • 3. Re: Route specific traffic over dedicated network interface in Web Gateway via ruleset
              Jon Scholten

              Hi Nicolas,

               

              No problem, officially it looks like its not supported for ProxyHA. Technically though, I was able to get it to work, so your mileage may vary.

               

              When using ProxyHA, step #2 is not an option, so my rule changed a little bit. In this case 10.10.69.172 is still an alias on eth0

              If you scale this out, each appliance would need their own alias IP, and in the rules you dictate that that specific appliance uses the alias IP dedicated to itself.

              Meaning:

              mwg1 = 10.10.69.172

              mwg2 = 10.10.69.173

               

               

              As it scales it might look better like this:

               

              Best Regards,

              Jon

              • 4. Re: Route specific traffic over dedicated network interface in Web Gateway via ruleset
                Jon Scholten

                Hey Nicolas,

                 

                I'm curious, did this work out for you?

                 

                Best Regards,

                Jon