The transparent redirection term first implied to me that the client will be totally unaware of the presence of a WSA proxy, however i delpoyed the following setup and found that the client is receiving HTTP proxy-redirect message (code 307) with source IP of the final destination server but i tells the client to request HTTP from the WSA. Redirection mode is L2 forwarding.
Here is the Setup:
My understanding of transperent redirection in this setup is:
- client sends HTTP GET request to the server
- the switch intercepts the GET and redirect it to the WSA
- the WSA sends the request to the server with source IP of the WSA
- the server replies to the WSA
- the WSA replies to the client (not sure if the source will be spoofed as server IP or WSA)
However, my findings were different... again http-redirect arrives at the client with WSA URL
The HTTP 307 redirect is likely coming because you are using authentication. The way the WSA performs NTLM authentication is to redirect the browser to access the WSA directly, so that NTLM authentication can happen. Once authenticated, another 307 will redirect it back to the original website.
If you are looking for a 100% transparent deployment, you may want to consider deploying the Cisco Context Directory Agent so that the WSA can ask the agent which user is logged onto that IP (instead of doing the NTLM authentication).
The term Transparent really just means the browser does not have a proxy setting.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...