Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Wireless clients bypassing proxy, firewall instead

Posted on 2016-08-03
Medium Priority
Last Modified: 2016-11-28
I have an issue with wireless client networks in my network that cannot use the proxy service for authentication in order to traverse into our network (I'll call it Network A)
The policy for Network A is that all traffic into it must be proxied.  I will be able to get a waiver on that policy for the wireless devices that cannot work through a policy, if I can come up with a secure alternative.
So I am looking for some ideas.  I can have these wireless devices (networks) traverse thru a firewall but I don't think that will suffice to equal the security of using the proxies.
Any wireless security experts and/or firewall experts to get me rolling here?
Question by:Ted James
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 47

Expert Comment

by:Craig Beck
ID: 41741399
Use a transparent (or inline) proxy that sits between the clients and the router/firewall.

Author Comment

by:Ted James
ID: 41748202
My technician recommended not using a transparent proxy because much of the Apple as well as the Android services would fail.  It was tested and failed for all iPhones and many of the Androids.

Author Comment

by:Ted James
ID: 41764685
My main issue is outbound to the internet.  iphones need to get to Apple's APNS to register and do updates and fixes if needed.  The devices are not proxy aware and my corporate mandates all internet traffic to be proxied.
My proposed temporary workaround until a final solution is to have all iphone devices enterprise wide be provisioned to be in one vlan and have that vlan be the only subnet to route around the proxy and touch the Apple APNS network.  So that singular route and that route only.  But what about the reverse direction.  At some point the Apple network needs to connect back to the iphone.  How would it know where the phone is?

Is there a workaround?  How has this been done before?

What about using a "push" instead of allowing the APNS to pinhole thru the firewall to reach back to the iphones?  Is that feasible and how would that work?
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

LVL 47

Expert Comment

by:Craig Beck
ID: 41765874
If it failed it's probably configured wrong. I've done it for thousands of Apple and Android devices. You may have issues with HTTPS traffic but everything else should work fine if the proxy can handle it.

If you bypass the proxy you can simply NAT clients.

Author Comment

by:Ted James
ID: 41767368
I have learned more from my technician to share with you.  According to Apple support, the iPhones are definitely not proxy aware so they told us (my technician) that we HAVE to bypass the proxy, and specifically what ports to allow to their network.
When you say "if it failed, it's probably configured wrong" are you talking about the configuration of the devices or configuration of the proxy?

FYI, if I NAT clients, we could eventually have over 20000 clients, not sure if any NATing would make this more secure...

More importantly, since you've done this for many Apple devices can you share your method?  Any docs you can share on how it's done?
LVL 47

Accepted Solution

Craig Beck earned 2000 total points
ID: 41767421
Apple devices 100% support proxy. They don't need to support config parameters for transparent proxy though if the proxy is inline with your internet gateway, or you use WCCP, for example, but simply look at any Wifi connection you have on your iDevice and you'll see the option for HTTP proxy.

Author Comment

by:Ted James
ID: 41768953
Wow, interesting that the Apple engineers my tech spoke to said that they are not proxy aware.  -I'm thinking maybe they were just salesmen that he was talking to.

OK thanks Craig.  I'll take that info to my tech team.
Before we close, just one more piece of info, -the proxy they use for outgoing internet is Bluecoat, if that changes anything in your answer...?

Author Closing Comment

by:Ted James
ID: 41904131
Thank you.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question