Proxy Server in DMZ

Answered Question
Jul 3rd, 2010
User Badges:

Dear All,


I have an ASA 5520 with inside, outside, and DMZ interfaces. I want to install a proxy server in  DMZ and have all my inside hosts go to the proxy first, before accessing the internet. If I don't want to configure a proxy-server address on each of my internal hosts, is there a way to configure port redirection on the ASA to automaticaly send all outbound internet traffic to the proxy server?


Thanks

Correct Answer by Jennifer Halim about 6 years 12 months ago

As advised earlier, WCCP will only work if the proxy server is in the inside network, not when it's on DMZ.

WCCP only supports traffic being redirected through the same interface.


As per the following:

WCCP redirect is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.


quoted from:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html#wp1094628

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Sun, 07/04/2010 - 00:10
User Badges:
  • Cisco Employee,

ASA only supports N2H2 or Websense to perform URL filtering via the ASA itself, without having to configure proxy server settings on the inside hosts.


Alternatively, if the proxy server supports WCCP, that also works with ASA, however, proxy server needs to be connected to the inside interface as well where the internal hosts are connected. Proxy server can't be connected to the DMZ while the traffic is from inside.


Hope that helps.

rmujeeb81 Sun, 07/04/2010 - 00:21
User Badges:

Hi,


The proxy is actually ISA and we will install it in DMZ as one leg design. If there is no option to redirect web traffic to ISA then we have last option of using proxy ip address in web browsers ?



Thanks

Jennifer Halim Sun, 07/04/2010 - 00:23
User Badges:
  • Cisco Employee,

Unfortunately there is no other option on ASA but to configure the proxy ip address on the web browser.

Correct Answer
Jennifer Halim Sun, 07/04/2010 - 01:38
User Badges:
  • Cisco Employee,

As advised earlier, WCCP will only work if the proxy server is in the inside network, not when it's on DMZ.

WCCP only supports traffic being redirected through the same interface.


As per the following:

WCCP redirect is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.


quoted from:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_wccp.html#wp1094628

Actions

This Discussion