Solved

Routing internet traffic from VPN connections through web gateway

Posted on 2011-03-01
3
954 Views
Last Modified: 2012-05-11
We replaced our old web proxy server with a Symantec Web Gateway appliance (8450), which is connected in an inline configuration between our firewall/router (Cisco ASA 5510) and the LAN of our main site. Internet traffic is now not routed through a proxy server.

So far, the appliance works really well and has quite a few advantages. However, we have an issue as we have two remote sites that are connected via a VPN tunnel from the Cisco ASA 5510. Whilst in the past the internet traffic from these two sites was directed to the proxy server (at our main site), as the VPN connections are on the wrong side of the Symantec web gateway appliance, users in these two sites.

The networking contractor says there is no other solution to this issue other than setting up another proxy server in the main site, or alternatively purchasing another Cisco ASA firewall and other internet connection . We are not keen on either of these solutions for various reasons.

Configuring Cisco routers is not my field of expertise/capability so  just want to know what other options are possible (if any) that I can get the contractor to investigate. Is it say possible to configure the Cisco firewalls on the remote sites to channel internet traffic to perhaps the gateway at our main site? If it makes any difference, the Cisco ASA firewall at our main site has got one spare Ethernet port.
0
Comment
Question by:lfrs_org
3 Comments
 
LVL 46

Expert Comment

by:Craig Beck
ID: 35008776
If I've got the picture in my head correct, you could put the web gateway in front of your ASA at the main site, then send ALL traffic from your remote sites via the Site-to-Site VPN, in effect blocking direct web access via the branch routers and forcing web access via the web gateway.  This is probably not ideal (and personally I wouldn't advise any of my customers to do this unless you can adequately firewall your web gateway), but it should work.
0
 

Author Comment

by:lfrs_org
ID: 35008895
Thanks for your reply craigbeck. Funnily enough, we did discuss that option but dismissed it precisely for the reason you mentioned - that the web gateway would be the wrong side of the firewall.
0
 
LVL 9

Accepted Solution

by:
gavving earned 50 total points
ID: 35013249
Is your Symantec device between your ASA and your internal LAN?  If so then routing all Internet traffic back to the core site through the VPN to the ASA won't solve the problem anyway.  The symantec device would never see it.

If you put the symantec device on the outside of the ASA firewall, it won't work the way you want it to I'd imagine.  

If the symantec device does not have a 'proxy' mode or function, then you could jump through some networking hoops with additional hardware and use GRE tunnels, but it'd be expensive (unless you already have internal layer-3 switches or routers at each site) and complicated.  Honestly it looks like it'd be cheaper to just buy another Symantec Web Gateway for the remote sites.  

The least expensive option would probably be to install Squid proxy on a server protected by the Symantec device and force proxy settings on the remote users. http://www.squid-cache.org/
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Open a port on Cisco Router 1941 23 45
Home internet speed 20 43
Connectivity issues after power outage 5 58
EIGRP Bandwidth 9 39
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question