Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Applications bypass proxy

Hi,

We have application on the internal network that are not proxiable.

We alread deployed Ironport WSA in inline mode.

We need to let port 1500 to pass thorugh the internet and back to the application.

Do you have any Idea how we can do this?

Another question:

If we make the ironport WSA a gateway for workstations, can we consider this a transparent deployment?

Thanks

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Applications bypass proxy

With inline mode you mean perhaps explicit request?

Specifying the WSA as a gateway will not work as the WSA will never route traffic between interfaces.

For transparent deployment you require an e.g. IOS router and configure WCCP or L4 forward to redirect traffic to the WSA. Within the router configuration you can also create exceptions for this application and bypass port 1500 as required.

Remember, WSA is a proxy "only". To gain the most out of it you tight it together with a router that supports WCCP.

3 REPLIES
Cisco Employee

Re: Applications bypass proxy

With inline mode you mean perhaps explicit request?

Specifying the WSA as a gateway will not work as the WSA will never route traffic between interfaces.

For transparent deployment you require an e.g. IOS router and configure WCCP or L4 forward to redirect traffic to the WSA. Within the router configuration you can also create exceptions for this application and bypass port 1500 as required.

Remember, WSA is a proxy "only". To gain the most out of it you tight it together with a router that supports WCCP.

New Member

Applications bypass proxy

Hi

Yes, inline mode that receives only HTTP requests. Just want to ask the vulnerability of ironport when we assign P2 Interface as the Public Ip Address.

We chose P2 Interface for by default, it is not listening to proxy requests. Unlike P1, is open for proxy requests.

Chosing P2 therefore doesn't make Ironport a open proxy.

My main concern is that the attacks coming from the internet/public, How will ironport deal with them?

thanks

Cisco Employee

Applications bypass proxy

Hi,

In general if the proxy port is reachable from the  internet (I would recommend to forbid this via ACL on your e.g. WCCP  router ahead) the best recommendation is to assure the (Default)Idendity  matching will refuse proxy usage.

The P1/P2 interface has been desinged to split client traffic (P1) <-> from the server side traffic (P2).

The WSA has been harderend to never route or forward packets inter-interfaces for this reason.

As  in this case prox is not binding (listening) to this port it is very  unlikely to create e.g. an open proxy. To be assured, you may still  configure the Identity to block by default any outside traffic not  sourced from your infrastructur.

Cheers,

Stephan

3041
Views
0
Helpful
3
Replies