Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Routing internet traffic from VPN connections through web gateway

Posted on 2011-03-01
3
Medium Priority
?
973 Views
Last Modified: 2012-05-11
We replaced our old web proxy server with a Symantec Web Gateway appliance (8450), which is connected in an inline configuration between our firewall/router (Cisco ASA 5510) and the LAN of our main site. Internet traffic is now not routed through a proxy server.

So far, the appliance works really well and has quite a few advantages. However, we have an issue as we have two remote sites that are connected via a VPN tunnel from the Cisco ASA 5510. Whilst in the past the internet traffic from these two sites was directed to the proxy server (at our main site), as the VPN connections are on the wrong side of the Symantec web gateway appliance, users in these two sites.

The networking contractor says there is no other solution to this issue other than setting up another proxy server in the main site, or alternatively purchasing another Cisco ASA firewall and other internet connection . We are not keen on either of these solutions for various reasons.

Configuring Cisco routers is not my field of expertise/capability so  just want to know what other options are possible (if any) that I can get the contractor to investigate. Is it say possible to configure the Cisco firewalls on the remote sites to channel internet traffic to perhaps the gateway at our main site? If it makes any difference, the Cisco ASA firewall at our main site has got one spare Ethernet port.
0
Comment
Question by:lfrs_org
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 47

Expert Comment

by:Craig Beck
ID: 35008776
If I've got the picture in my head correct, you could put the web gateway in front of your ASA at the main site, then send ALL traffic from your remote sites via the Site-to-Site VPN, in effect blocking direct web access via the branch routers and forcing web access via the web gateway.  This is probably not ideal (and personally I wouldn't advise any of my customers to do this unless you can adequately firewall your web gateway), but it should work.
0
 

Author Comment

by:lfrs_org
ID: 35008895
Thanks for your reply craigbeck. Funnily enough, we did discuss that option but dismissed it precisely for the reason you mentioned - that the web gateway would be the wrong side of the firewall.
0
 
LVL 9

Accepted Solution

by:
gavving earned 200 total points
ID: 35013249
Is your Symantec device between your ASA and your internal LAN?  If so then routing all Internet traffic back to the core site through the VPN to the ASA won't solve the problem anyway.  The symantec device would never see it.

If you put the symantec device on the outside of the ASA firewall, it won't work the way you want it to I'd imagine.  

If the symantec device does not have a 'proxy' mode or function, then you could jump through some networking hoops with additional hardware and use GRE tunnels, but it'd be expensive (unless you already have internal layer-3 switches or routers at each site) and complicated.  Honestly it looks like it'd be cheaper to just buy another Symantec Web Gateway for the remote sites.  

The least expensive option would probably be to install Squid proxy on a server protected by the Symantec device and force proxy settings on the remote users. http://www.squid-cache.org/
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question