Transparent HTTP Proxy

Discuss and get help configuring CacheGuard to protect Web end-users
eb_ottawa
Posts: 10
Joined: 21 Jul 2017 13:53

Re: Transparent HTTP Proxy

Post by eb_ottawa » 25 Jul 2017 18:13

Was checking logs on the pfSense and they're heading out to the CG. Which services need to be running on the CG.
Current output.

Code: Select all

mode router                 on
mode dns                    on
mode dhcp                   off
mode snat                   off
mode firewall               off
mode vlan                   off
mode ha                     off
mode qos                    off
mode ftppassive             off
mode web                    on
mode tweb                   on
mode sslmediate             off
mode rweb                   off
mode guard                  on
mode antivirus              on
mode authenticate           off
mode cache                  on
mode compress               off
mode log                    on
mode anonymous              on
mode waf                    off

eb_ottawa
Posts: 10
Joined: 21 Jul 2017 13:53

Re: Transparent HTTP Proxy

Post by eb_ottawa » 25 Jul 2017 18:20

Added the subnet to "Transparent Networks" under Network > Main Settings and that seemed to have done the trick.

User avatar
david
Posts: 148
Joined: 08 Aug 2015 20:38

Re: Transparent HTTP Proxy

Post by david » 25 Jul 2017 18:28

Actually you mentioned this:
Workstation IP is .13 -> pfSense CG Vlan .254 -> CG .250 -> ASA -> Internet
Which is not exactly the same as the network topology we used in our lab. Does it mean that in addition to this your pfsense is directly connected to your ASA ? I mean do you have the following (the difference between your topology and ours is in red):

pfSense --> CG --> ASA --> Internet
pfSens --> ASA --> Internet

Below firewall rules that we used in our lab.

WANGW is the default gateway for traffic other than Web traffic (80). It represents your ASA.
Please note the order (the rule with route via CG is before the rule with the default gateway).
I hope it could help.
Attachments
pfSense-PolicyRouting-CacheGuard.png
pfSense-PolicyRouting-CacheGuard.png (114.98 KiB) Viewed 1864 times
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

eb_ottawa
Posts: 10
Joined: 21 Jul 2017 13:53

Re: Transparent HTTP Proxy

Post by eb_ottawa » 25 Jul 2017 18:30

It actually works properly now... as follows


Workstation VLAN -> Office ASA -> pfSense Router (we have multiple WANs for backup) -> Fibre PTP -> CG -> ASA -> Internet

(CG is VLAN'd over the Fibre PTP as to bypass the ASA for the internal interface on CG)

Used to be a routing nightmare, but I've been doing cleanup since I got here (8 months ago). Really liking the product. Next step, SSL Mediation.
Last edited by eb_ottawa on 25 Jul 2017 18:31, edited 1 time in total.

User avatar
david
Posts: 148
Joined: 08 Aug 2015 20:38

Re: Transparent HTTP Proxy

Post by david » 25 Jul 2017 18:30

Your configuration seems to be good. You can turn off the dns mode if you don't use CG as DNS for other machines.
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

eb_ottawa
Posts: 10
Joined: 21 Jul 2017 13:53

Re: Transparent HTTP Proxy

Post by eb_ottawa » 25 Jul 2017 18:33

Thanks for all the help.

So yes, next step SSL Mediation then HA... COO approved purchase, so it's good to have a great forum here with staff replying promptly as documentation on the low side.

User avatar
david
Posts: 148
Joined: 08 Aug 2015 20:38

Re: Transparent HTTP Proxy

Post by david » 25 Jul 2017 18:43

If you define transparent networks ([NETWORK] > [Main Settings] > [Transparent Networks]), you tell to CG to only intercept traffic from those networks and let traffic from other networks being simply routed (without interception --> without any treatment by CG). If no transparent network is defined, all networks are intercepted by default.

I'm happy to hear that it works now. Please note that for security reasons it's preferable that your turn the Audit mode off once you finish your tests.

Best Regards,
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

Post Reply