Re: Cisco 1720-Proxy Server???

paul.naujoks · ‎11-14-2001

Is there some way to configure a Cisco 1720 router to point all internet traffic to a proxy server? We accomplish this now by the configuration of NetScape or Internet Explorer on individual workstations, but are looking for a solution that simply direct all internet traffic to the proxy server, which is not on our internal network, without configuring individual workstations. Thanks.

JEREMY GRAY · ‎11-15-2001

There's a difference in the http get when a browser has a proxy configured vs when it does not. This is something to do to with the way subsequent gets are executed within a page as a relative request rather than a full path.

There are high end web cache solutions that you can integrate as transparent proxies that make the configuration of the browser unnecessary, these often employed by ISP's to save bandwidth and improve web performance. Cisco' IOS solution for this is a redirection protocol called WCCP (Web Cache Communication Protocol) which is probably supported on the 1720. HOWEVER this requires WCCP participation by the proxy/cache and the proxy must support transparent cache functions (e.g. it fixes the relative path get problem etc). So unless your proxy supports WCCP transparent cache functions the answer is no, even if you could policy route the packets to the proxy it will not work in most cases.

The next option also requires a proxy/cache that supports transparent proxy, but instead of WCCP you can use a layer4 switch to do the redirection.

Finally, if the manual task of updating your users desktop settings is the problem, find yourself a good MS administrator/guru and ask them how to set the proxy settings during network login.

Or, if this fails, you could always get the users to do the work - If your border/edge router only accepts HTTP from the proxy IP to the Internet, then the users soon learn that they must configure this ... otherwise they don't get web access. But advance notice would be wise ;-)

I hope this helps.

Jeremy.

paul.naujoks · ‎11-15-2001

Thanks Jeremy, you have given me a number of good options to pursue. Our problem is not the browser settings, but rather that you certainly do not need a high school diploma, and thus all are students are eligible, to undo those settings. Adding software that would not allow them to change the settings just adds another layer of challenge for them and becomes less practical as our incoming freshman each have their own laptop to use. Also in the US we have a new law where our federal funds can be impacted if we do not demonstrate that we are providing only filtered content to students. Again, thanks for you help.

Paul

justin.rowe · ‎11-15-2001

Another way is use of route map and access-list

Any traffic matched on www port to be policy routed to next hop

eg

route-map internet_traffic permit 5

match ip address internet_traffic

set ip next-hop (next hop IP address to proxy server)

!

ip access-list extended internet_traffic

permit tcp 192.168.1.0 0.0.0.255 any eq www

!

int E0

ip policy route-map internet_traffic

The above config enables any traffic incomming from Ethernet0 matching internal range, with a destination port of www to be policy routed to next hop.

If you have any querries please reply

imrshaik · ‎12-24-2001

Hi there,

i have a similar question.

what i would like to do is direct my WEB traffic to two proxy servers for load balancing purposes. these two internet proxy servers accept web traffic on ports 3128 and 8080. so we need to translate web traffic from my network to 3128 and 8080 to those two proxy servers. how can this be acheived?