rustyrpage
asked on
Cisco ASA 5520 routing statements
We have a hosted web defense product that we have acquired - in order for the web-defense to work, it needs to have all of your port 80 traffic routed to their proxy server. That said, we are looking for a way to route all outbound port 80 traffic from our network to the public proxy of our hosted web-defense product. I have had mixed opinions as to whether or not this is possible. Obviously our incoming traffic would have to remain as it is since we have many servers inside that use port 80.
What are our options?
Thanks!
What are our options?
Thanks!
ASKER
The reason for doing it on the gateway is for all non-domain computers & for ones that are not always on the LAN.
We had this same problem.
The solution is...............Microsoft ISA Prox server.
It will allow proxy chaining.
So you point all of your http,https,ftp etc traffic to the ISA and from the ISA redirect to the hosted proxy service (Websense in our case). I tried it with Sun, but didnt have time to work it out with the free solution so we stuck with the ISA. This would be done regardless of the firewall that you use. The FWSM (and I assume hte ASAs) will only allow http forwarding to a proxy server on your network.
The solution is...............Microsoft
It will allow proxy chaining.
So you point all of your http,https,ftp etc traffic to the ISA and from the ISA redirect to the hosted proxy service (Websense in our case). I tried it with Sun, but didnt have time to work it out with the free solution so we stuck with the ISA. This would be done regardless of the firewall that you use. The FWSM (and I assume hte ASAs) will only allow http forwarding to a proxy server on your network.
unfortunately, the proxy settings must be removed once the computer leaves your LAN.
If the hosted proxy supports WCCP, use that on the ASA to forward web traffic to it
ASKER
Can you explain WCCP a bit more
As far as using ISA - I am not sure what the point of that would be......for a majority of our users, we have them pointing to a proxy server internally that does an AD authentication - but it's for the ones that do not have the ability to change their proxy settings.
As far as using ISA - I am not sure what the point of that would be......for a majority of our users, we have them pointing to a proxy server internally that does an AD authentication - but it's for the ones that do not have the ability to change their proxy settings.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The hosted one that we are using has a squid proxy server that does LDAP authentication, so that is similar to what we are doing.
CCI IT - for you, you could probably get by with writing a proxy auto-config file to say "if IP address is on our network, then use these proxy settings, if not, then don't use one". The problem with going through the VPN is that all outside traffic for us would then come through our main internet pipe, which could be A LOT.
CCI IT - for you, you could probably get by with writing a proxy auto-config file to say "if IP address is on our network, then use these proxy settings, if not, then don't use one". The problem with going through the VPN is that all outside traffic for us would then come through our main internet pipe, which could be A LOT.
then the rest, i would configure proxy for all clients with exception for local addresses. ( like on IE, do not use proxy for LAN address)