Bluecoat Proxy Deployment Design

Hello
Currently we have TMG as web proxy and websense as web filtering
We are going to replace TMG with Bluecoat SG Appliance.

Hence I need to know which design is considered as best in terms of secure and efficiency.

We have 1500 users.

Any help would be appreciated.
LVL 3
cciedreamerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeyaraj KathiresanCyber Security AnalystCommented:
Considering the number of users, security and robustness, it is recommended to use explicit mode of deployment for the environment.

Not prone to single point of failure.
Network downtime is not required for deployment.
Proxied policies can be explicitly pushed to clients through PAC file or proxy settings in internet options.
0
cciedreamerAuthor Commented:
Hi Jeyaraj,

Thanks for the response.

Where I should keep the web sense in deployment ?
Bluecoat should use websense as a database only for web filtering
0
Jeyaraj KathiresanCyber Security AnalystCommented:
Hi cciedreamer

By default, latest Bluecoat proxy SG 6.x version supports ,

Local Database (Locally pushed through custom URLs)
Bluecoat Webfilter (Requries license)
IWF Database (Open Source DB by Internet Watch Foundation)
Proventia (3rd Party)
Optenet (3rd Party)

You can refer the document below for integrating the websense DB to Bluecoat. However, I suppose that might be possible on 5.x versions.
https://www.websense.com/content/support/library/web/v75/wws_bc_rpt_supp/Blue%20Coat%20Reporting%20Supplement.pdf

Or, manually content filtering database can be downloaded locally and pushed to Bluecoat proxySG.

For explicit proxy configuration, the proxySG device can be placed in the DMZ in the network.
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

cciedreamerAuthor Commented:
Hi Jeyaraj,

What if I want to deploy proxy in transparent mode along with Bluecoat and Websense integration
Also I want to authenticate domain users before gaining internet access.

Please advise the deployment design.
0
Jeyaraj KathiresanCyber Security AnalystCommented:
Hi cciedreamer,

For a transparent deployment, you would require the proxySG appliance to work in the bridged mode. So, one interface in the appliance should be connected to the core switch and the other should be connected to the perimeter device (firewall/router). In this case, all the traffic would be received by the proxy and you need to intercept the traffic that needs to be inspected by the proxy. (HTTP, HTTPS, ports etc.,). This type of deployment is called transparent in-line deployment. This is why it has a single point of failure. (Once the proxy is down, entire LAN to WAN traffic gets dropped unless the core switch outside interface is manually connected to perimeter device's inside interface)

Otherwise, you can use WCCP routing if your network contains a CISCO router that is capable of handling WCCP operations to route the traffic to proxySG inside.

If the users need to be authenticated by proxySG, you would require to setup the LDAP realm if you have a dedicated LDAP server and the web authentication layer is to be added to ask for authentication for the users in proxySG VPM.

For the websense part, get the websense URL filter database downloaded to your local server in the inside network and create an FTP link or URL for accessing the DB. Then add it under the local database in the proxySG web management console and check the updates for daily basis. (Probably you can contact the vendor for checking the compatibilty for integration, since Forcepoint LLC., is the vendor managing websense now)

Good Luck For Your Deployment !
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cciedreamerAuthor Commented:
For the websense part, get the websense URL filter database downloaded to your local server in the inside network and create an FTP link or URL for accessing the DB. Then add it under the local database in the proxySG web management console and check the updates for daily basis. (Probably you can contact the vendor for checking the compatibilty for integration, since Forcepoint LLC., is the vendor managing websense now)

I suppose the bluecoat will not work with this way.

We are a large enterprise, hence it is best to configure explicit or transparent ?
If I configure explicit, may be some application will not work as they do not understand proxy
0
Jeyaraj KathiresanCyber Security AnalystCommented:
If you require the URL filtering DB of no license, you can use IWF (Internet Watch Foundation database integrated into proxySG.

For ideal solution, considering the user number and robustness and failover options, I would recommend using explicit mode deloyment. If any application is not able to understand proxy, you can either create rules to bypass the traffic from proxy SG or creating rules and logging the transactions in the perimeter device to directly access them through ISP would be the recommended solution.
0
cciedreamerAuthor Commented:
I have came up with this design, please have a look and give your precious inputs

Users  --- Bluecoat SG ---- Websense ---- Internet

Bluecoat will be deployed as explicit and will be configured with policies

If need to add DMZ, which design should be implemented.
0
Jeyaraj KathiresanCyber Security AnalystCommented:
That design looks perfect. You can keep the proxySG appliance connected to the DMZ switch and your edge firewall/router should be able to route the traffic to proxy and from proxy, all the internet traffic should be allowed. so, all the internet connections should be reaching proxy first and proxy establishes a new connection to Internet.

If websense is an appliance, you can connect it also in the DMZ switch and proxy will be able to fetch the DB since it lies under same security level in DMZ.

The connection flow would be like

User -> Firewall (Allow Inside To DMZ) -> DMZ Proxy -> Firewall (Allow DMZ To Internet/Untrust) -> Internet Websites
0
cciedreamerAuthor Commented:
Thanks. Much appreciated.
We are using Triton Websense installed on Windows 2008 R2 Server.
 Bluecoat and Websense will be two different boxes so in your design where is the websense ?

User -> Firewall (Allow Inside To DMZ) -> DMZ Proxy -> Firewall (Allow DMZ To Internet/Untrust) -> Internet Websites
0
Jeyaraj KathiresanCyber Security AnalystCommented:
In that case, Win 2008 R2 server can be connected either to the DMZ switch or to the management switch.

If the URL database is to be fetched by the proxySG on a scheduled basis, it would query the websense server periodically and update in it's local database. Here you can keep it under management switch or the backbone.

If dynamic categorization/filtering (real time) of the website is required keeping it under the same DMZ would be the best one.

You would require a web access layer in the visual policy manager in proxySG admin panel to configure the content filtering. But the forementioned traffic flow remains the same.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.