Solved

Routing internet traffic from VPN connections through web gateway

Posted on 2011-03-01
3
949 Views
Last Modified: 2012-05-11
We replaced our old web proxy server with a Symantec Web Gateway appliance (8450), which is connected in an inline configuration between our firewall/router (Cisco ASA 5510) and the LAN of our main site. Internet traffic is now not routed through a proxy server.

So far, the appliance works really well and has quite a few advantages. However, we have an issue as we have two remote sites that are connected via a VPN tunnel from the Cisco ASA 5510. Whilst in the past the internet traffic from these two sites was directed to the proxy server (at our main site), as the VPN connections are on the wrong side of the Symantec web gateway appliance, users in these two sites.

The networking contractor says there is no other solution to this issue other than setting up another proxy server in the main site, or alternatively purchasing another Cisco ASA firewall and other internet connection . We are not keen on either of these solutions for various reasons.

Configuring Cisco routers is not my field of expertise/capability so  just want to know what other options are possible (if any) that I can get the contractor to investigate. Is it say possible to configure the Cisco firewalls on the remote sites to channel internet traffic to perhaps the gateway at our main site? If it makes any difference, the Cisco ASA firewall at our main site has got one spare Ethernet port.
0
Comment
Question by:lfrs_org
3 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 35008776
If I've got the picture in my head correct, you could put the web gateway in front of your ASA at the main site, then send ALL traffic from your remote sites via the Site-to-Site VPN, in effect blocking direct web access via the branch routers and forcing web access via the web gateway.  This is probably not ideal (and personally I wouldn't advise any of my customers to do this unless you can adequately firewall your web gateway), but it should work.
0
 

Author Comment

by:lfrs_org
ID: 35008895
Thanks for your reply craigbeck. Funnily enough, we did discuss that option but dismissed it precisely for the reason you mentioned - that the web gateway would be the wrong side of the firewall.
0
 
LVL 9

Accepted Solution

by:
gavving earned 50 total points
ID: 35013249
Is your Symantec device between your ASA and your internal LAN?  If so then routing all Internet traffic back to the core site through the VPN to the ASA won't solve the problem anyway.  The symantec device would never see it.

If you put the symantec device on the outside of the ASA firewall, it won't work the way you want it to I'd imagine.  

If the symantec device does not have a 'proxy' mode or function, then you could jump through some networking hoops with additional hardware and use GRE tunnels, but it'd be expensive (unless you already have internal layer-3 switches or routers at each site) and complicated.  Honestly it looks like it'd be cheaper to just buy another Symantec Web Gateway for the remote sites.  

The least expensive option would probably be to install Squid proxy on a server protected by the Symantec device and force proxy settings on the remote users. http://www.squid-cache.org/
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question