WLC - Redirect Traffic to Web Proxy

Similar Messages

• Traffic move through Proxy Server in Production

  Hello,
                                                                                          Internet
                                                                                                |
                                                                                        Internet Router
                                                                                                |
                                                                                        Internet switch
                                                                                                |
                                                                                             IPS
                                                                                                |
                                                                                             Firewall
                                                                                                |
                                                                                             IPS
                                      Inside ()---- Access-sw----------Core-SW------------DMZ
  This is my Company network diagram, all data go through the firewall  IPS is Inline mode on Acess and Core sw static route is configured for firewall but management wants all inside (Noc Room Helpdesk Team and Third Party members) traffic must pass via Proxy server that is connected to Core switch Please anybody tell me How can i do this in a Production Enviornment and which type of changes i need to do on Access or Core Switch.They will use Squid for Proxy on Linux Server

  WCCP can be used to redirect traffic to the proxy server. See below a configuration example:
  http://www.crypt.gen.nz/papers/cisco_squid_wccp.html
  Don't forget to rate all posts that are helpful by clicking on the stars below.

• How to do a PortForward/Port Proxy? Redirecting traffic from port 8080 to 80 on the SAME machine

  We have a CFTV system running on Win2008R2 that listens on 4 sequential port numbers and the last port is the Web Browser Port number for management and viwing cameras
  When we configure the port 8077 on the software, it opens 8077, 8078, 8079 and 8080 and works with no problem
  But...
  When we try to configure ports 77 (and therefore 77, 78, 79 and 80) thw applications hangs and seems like not be possible to configure to use port 80
  I could confirm that,  using NETSTAT and the main CFTV application open all required ports with no problem, but only works on ports with a different number from "80", wich is what i want, to make users more confortable, avoiding to type ":PORT_NUMBER"
  after the URL, it will be more "ellegant" solution to use default port 80 for user´s connections
  The question is: How to do a PortForward/Port Proxy? Redirecting traffic from port 8080 to 80 on the SAME machine?
  May i Use NETSH? (based on Help, it can be used to do this, but on different machines, not the same one)
  There is a RELIABLE application, running as a service, that can do the port forward/redirect?

  Hi,
  I’m sorry to tell you that we can’t redirect traffic from a port to another port on the same server itself. But we can do it with a router which is configured to portfoward.
  By the way, according to your description, another program may use the port 80. Is there an IIS installed on the server? If it is necessary, you can consult your CFTV system vendor.
  Hope this helps.
  Steven Lee
  TechNet Community Support

• Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP router ?

  Hello !
  I would like to use Cisco WSA as a web proxy in a transparent way (without any configuration in client's web browsers) but i don't have a WCCP router. So, is it possible ? 
  If yes, how to do this ? 
  Thank you,
  Stephane Walker

  Hi Stephane
  The only alternative to WCCP is PBR (Policy Based Routing). With a simple configuration on the router you can redirect traffic defined as interesting by access list to WSA. On the WSA you need to configure transparent mode (Security Services -> Web Proxy -> Edit Settings -> Proxy Mode: Transparent). You also need to assure that proxy is listening on the port 80 and that HTTPS proxy is enabled (on port 443) if you want to redirect the HTTPS traffic as well. 
  Sample configuration for Cisco router
  access-list 110 permit tcp any any eq www
  route-map proxy-redirect permit 10
  match ip address 110
  set ip next-hop xxx.xxx.xxx.xxx
  interface ethernet0/1
  ip policy route-map proxy-redirect
  xxx.xxx.xxx.xxx is the proxy IP in such case and access-list 110 defines web traffic (HTTP TCP/80) as interesting.
  The biggest disadvantage of such solution is lack of failure detection. If the proxy will go down for some reason router will keep redirecting the traffic causing internet access outage.
  Routers other than Cisco equipment should also have an option to configure policy based routing.
  /Artur
  Ps. It's not possible to place the WSA in-line between clients and the internet.

• Steps to enable Web Proxy for https

  I have an S160 WSA and want to enable the Web service for http and https. I am using transparent mode with WCCP.
  This is part of the router configuration:
  ACL:
  access-list 110 permit tcp 192.168.80.0 0.0.7.255 any eq 80
  access-list 120 permit tcp 192.168.80.0 0.0.7.255 any eq 443
  ip wccp 97 redirect-list 110
  ip wccp 98 redirect-list 120
  interface FastEthernet0/0.380
  ip wccp 97 redirect in
  ip wccp 98 redirect in
  It is the same configuration for http and for https, but only http traffic is working. When I see the logs in the WSA, it looks like accepted connections for https.
  In Security Services -> Web Proxy it is enabled, when I put the port 443, I get an https error in the end user laptop; when I dont, it keeps trying and I get a timeout.
  I tried enabling https proxy but some sites (as gmail), wont work with self-generated certificates.
  Would you please, list me the steps to enable Proxy services for https.
  Thanks!!!
  Sergio L.

  Hi Sergio,
  When WSA is configured as transparent proxy, it also accepts explitcit connections. So in order to test HTTPS proxy, you can configure client browser to explicitly use WSA as proxy and see if it is working before testing in transparent mode.
  When WSA is used as HTTPS proxy, it uses its self-generated certificate to encrypt the connection between itself and the client browser. Since this certificate is not trusted by browser, it'll throw SSL certificate error when connecting via WSA. In order to get rid of this error, download the self-generated certificate from WSA and install it in your browser as a trusted certificate. That should resolve SSL issue with gmail also.
  Hope this helps.
  Thanks,
  Chetan

• Mac Adobe Flash Player not supporting Web Proxy Authentication

  Anyone else got an enterprise network where you use web proxies with web authentication and no traffic allowed out except through the proxies?
  You may need to be in the UK for this, but try accessing BBC iPlayer content - http://www.bbc.co.uk/iplayer and you should discover that the content won't play. the error says "This content doesn't seem to be working. Try again later.". The content will never work as the Mac version of Flash (currently 10.1.53.64) is not able to respond to web proxy authentication requests. The BBC use various streaming server which are randomly selected when a user starts a stream and they have no DNS. Just IP addresses. They don't publish a list for security reasons. So it is almost impossible to exempt all their servers from authentication.
  I've logged a bug with Adobe. If you have this issue too, please add a comment and vote so that they can begin to grasp the impact of this problem:
  https://bugs.adobe.com/jira/browse/FP-5161

  I have the same issues in Australia trying to access flash content from the ABC website. The strange thing is the content will play if your leave the browser open for 5min.
  After several packet data captures we identified that it has to do with the amount of time it takes the Mac timeout from the proxy before it plays the video content.
  No solution yet.

• Web Proxy Server Load Balancing

  I deployed Sun Jave Web Proxy Server 4.0 as a Reverse Proxy. I would also like to use it as a load balancer. As per the instructions, I configured the obj.conf file as shown below
  Route fn="set-origin-server" server="https://xx.xx.xx.xx" server="https:yy.yy.yy.yy" sticky-cookie="JSESSIONID" sticky-param="jsessionid" route-hdr="Proxy-jroute" route-cookie="JROUTE" rewrite-host="true" rewrite-location="true" rewrite-content-location="true"
  But, it is not doing load balancing. It always sends to the first server (xx.xx.xx.xx). I guess that is because I used mapping as follows:
  NameTrans fn="reverse-map" from="https:xx.xx.xx.xx" to="https://server.net" rewrite-location="true" rewrite-content-location="true"
  NameTrans fn="redirect" from="http://server" url="https://xx.xx.xx.xx"
  NameTrans fn="map" from="https://server" to="https://xx.xx.xx.xx" rewrite-host="true" name="pa-server-farm1" NameTrans fn="map" from="/" to="https://xx.xx.xx.xx" rewrite-host="true" name="pa-server-farm1"PathCheck fn="url-check"ObjectType fn="block-ip"
  ObjectType fn="cache-enable" cache-auth="1" cache-https="1" query-maxlen="0" min-size="0" Service fn="proxy-retrieve"
  I don't understand how routing and mapping work togother. Any help in this regard is appreciated.

  Motor,
  the following is from the Web Proxy Sever Administration guide. Please, check the last paragraph for the explanation. Any how, the problem is simple. I am using the Proxy Server as the Reverse proxy. And at the same time, I would like to use two origin servers (for load balancing) instead of one. How do I make both load balancing and reverse proxy functions work together?
  Thanks
  To Create Regular or Reverse Mapping
  Access the Server Manager, and click the URLs tab.
  Click the Create Mapping link.
  The Create Mapping page is displayed.
  In the page that appears, provide the source prefix and source destination for the regular mapping,
  for example,
  Source prefix: http://proxy.site.com
  Source destination: http://http.site.com/
  Click OK.
  Return to the page and create the reverse mapping, for example,
  Reverse mapping:
  Source prefix: http://http.site.com/
  Source destination: http://proxy.site.com/
  To make the change, click OK.
  Once you click the OK button, the proxy server adds one or more additional mappings. To see the mappings, click the lView/Edit Mappings link. Additional mappings would be in the following format:
  from: /
  to: http://http.site.com/
  These additional automatic mappings are for users who connect to the reverse proxy as a normal server. The first mapping is to catch users connecting to the reverse proxy as a regular proxy. The �/� mapping is added only if the user doesn't change the contents of the Map Source Prefix text box provided automatically by the Administration GUI. Depending on the setup, usually the second mapping is the only one required, but the extra mapping does not cause problems in the proxy.

• How would a corporation deploy Sun ONE Web Proxy Server?

  A corporation should deploy Sun ONE Web Proxy Server at the following key places:
  * The Internet gateway: Sun ONE Web Proxy Server deployed just behind the firewall facilitates access to the Internet and reduces response times and communications expense.
  * Major sub-network connections: Marketing, Sales, Product Development, Human Resources, and Finance departments might have their own subnetworks. An Sun ONE Web Proxy Server deployed at each subnet can reduce traffic on the corporate backbone.
  * Remote offices that are disconnected from the internal network: Sun ONE Web Proxy Server can provide a quick mechanism for replicating content when necessary, providing better company integration and increasing network performance without large capital and communications expense.
  * Internationally: Outside the United States, communications bandwidth is typically much more expensive, making Sun ONE Web Proxy Servers even more cost effective. Every international office can make use of an Sun ONE Web Proxy Server.
  * Outside the firewall as a Web server substitute in reverse proxy configuration: This protects information on the secure Web server behind the firewall and offers load balancing via caching.

  http://wwws.sun.com/software/download/products/3ef1fcb5.html
  If u wait for a week or so, SP4 will also be there.
  Maneesh

• Sun access manager 7.1 + sun web proxy server 4

  Hi all,
  we have installed policy agent 2.2 on the web proxy server 4.0.5. and AM is installed on another machine with ver 7.1.
  We are trying to prtectect an java application.
  ex:// http://stonycarter.com:9080/med
  when we hit this url we get redirected to AM for login and after login we get page not found error and it would never take us to the application page.
  Pls, let us know how to configure the application. ie, how to achive above task.

  Hi,
  Here is what i found out
  2008-06-14 18:26:12.432 Debug 4655:f4fb88 PolicyAgent: am_web_is_access_allowed(): Successfully logged to remote server for
  GET action by user SMHOM0690 to resource https://beta.stonycarter.com:443/med/.
  2008-06-14 18:26:12.432 Info 4655:f4fb88 PolicyAgent: am_web_is_access_allowed()(https://beta.stonycarter.com:443/med/, GET) returning status: access denied.
  2008-06-14 18:26:12.432 Debug 4655:f4fb88 PolicyAgent: validate_session_policy() access denied to SMHOM0690
  2008-06-14 18:26:12.433MaxDebug 4655:f4fb88 PolicyAgent: am_web_get_url_to_redirect(): goto URL is https://beta.stonycarter.com:443/med/
  2008-06-14 18:26:12.433 Info 4655:f4fb88 PolicyAgent: do_redirect() Status code= access denied.
  2008-06-14 18:26:12.433MaxDebug 4655:f4fb88 PolicyAgent: validate_session_policy(): Completed handling request with status: a
  ccess denied.
  pls suggest solution.

• Safari 3.x (Leopard) and Web Proxy Server Problems:

  I have a Squid proxy server running on Linux. Users web traffic is directed through it via WPAD server which hosts a simple PAC file. The PAC files is very clean and small. It basically points all external (Internet) web traffic to our Proxy server. All of our Windows, Linux and Tiger clients work fine. However, Leopard (Safari 3.x) doesn't work quite right. Here's what happens:
  Mac user logs into a Leopard 10.5 Mac. User launches Safari and tries to go to an external (Internet) site. The WPAD server is contacted and the Mac User is prompted to authenticate to the Proxy server. This is totally normal behavior thus far. Then, however, every few minutes the Leopard Mac user will be prompted to authenticate again (sometimes 2 or 3 times in a row!). Firefox 2.0.x, when configured to use the WPAD/PAC server and Proxy server, works fine in Leopard. Only Safari 3 in Leopard is having the problem.
  All the Macs (Tiger and Leopard) are configured to use the Proxy server via OS X's Network Pref Pane (using the "Automatic Proxy Configuaration"). Reminder: Tiger works fine (even with the Safari betas), but Leopard's doesnt not.
  I have attached our PAC file inline below (some things edited for privacy):
  // SIMR automatic configuration for Mozilla and friends
  // $Id: wpad.dat,v 1.8 2005/12/14 20:18:23 dct Exp $
  // Edit carefully, since many may be relying on this...
  function FindProxyForURL(url, host) {
  // Bypass the proxy for internal addresses
  if (!url.match("http:")
  || url.match("http://127.0.")
  || url.match("http://10.")
  || url.match("http://192.168.")
  || isPlainHostName(host)
  return "DIRECT";
  // These are exceptions given in the IE config for Windows.
  if (host == "www.ncbi.nlm.nih.gov"
  || host == "chabry.caltech.edu"
  || host == "flybase.bio.indiana.edu"
  || host == "www.fedex.com"
  || host == "domain.org"
  return "DIRECT";
  return "PROXY <proxy server>:8080";
  }

  I think I have a similar problem. I am a Mac connecting to an otherwise all PC school network.
  A new location with all correct proxies has been set up. However, Safari always crashes on first attempt to negotiate its way through our server to the internet. Internet explorer gets through because in its preferences it is possible to include the name of the school domain as well as my user name and password.
  We have been unable to find any way of including the domain name into Location in Network or into Safari.
  However, once Internet Explorer has negotiated with the server I can launch Safari and it works as normal.
  Safari/Network seems to lack this option of including a domain name that my PC server requires.
  Make sense to anyone?
  Worth mentioning that my copy of Internet Explorer (5.2) often crashes, but usually it has done its job by then. I quite like the concept of Internet Explorer sacrificing itself to clear a path for Safari.

• Redirecting traffic on SunOne 6.1 SP4

  hi all,
  i've got a web server running SunOne 6.1 SP4, and im trying to figure how to redirect traffic from 2 different locations.
  the web server is accessed both thru the LAN and the Internet. how is it possible to re-direct traffic coming from an internal UP to another interanl IP and traffic from an external IP to an external IP.....?
  currently im using the following in my obj.conf file. but this is re-directing all traffic to one location.
  <Client security="false">
  NameTrans fn="redirect" from="/" url-prefix="http://x.x.x.x/"
  </Client>
  how can i configure this to re-direct traffic coming from the LAN (these come from a 10.1.x.x segment) to another internal IP and traffic coming from the web to another external IP...?
  any help on the matter would be highly appreciated.
  thanks and regards,

  To Documentation team,
  Here is what to do :
  update in http://docs.sun.com/app/docs/doc/820-1643/6nda4qg75?l=en&a=view#abvau
  Old Text :
  <Client ip="~192.85.250.*">AddLog fn="flex-log" name="access"</Client>
  New Text :
  <Client ip="\*~192.85.250.\*">
  AddLog fn="flex-log" name="access"
  </Client>
  Note that a * (asterisk) is required before ~ (tilda) and make these 3 separate lines.

• HTTP failed - Transparent web proxy

  Hello,
  I developped an application with Flex 3 B1, it works at my
  home but when I tried it in my office I have this type of message
  sometime
  code:
  Channel.Call.Failed
  Message:
  error
  Detail:
  NetConnection.Call.Failed: HTTP: Failed
  Sometime the application works, sometime not... I think this
  is a web proxy problem. I called the person in charge of this and
  for him some program cannot works with a transparent proxy.
  Somebody have the same problem ?
  Best regards,
  Marc

  Thank you Ken for you whitepaper.
  I read the configuration and it is mentioned that the IronPort and clients are not on the same interface (segment). I also read that the IronPort Appliance and clients must be on the same ASA interface to avoid passing trough the ASA itself again.
  Which of these two is right ?
  In my architecture I'm not able to set the IronPort on the same interface as clients (2 differents interfaces and subnet).
  I attached a document explaining the architecture
  My bad I saw that the WSA and clients are on the same ASA interface in the inside networks. Still, in my configuration is it possible to enable WCCP ?
  I also so that it is possible to implement a route-map which perfrom PBR by changing the next-hop ip for specific traffic but this function is not avalaible on ASA as i heard. Can anyone confirm that ?
  Ce message a été modifié par: Maxime GERGES

• DirectAccess force tunneling - Web proxy (TMG) needs authentication

  Hello,
  I have deployed a DirectAccess 2012 server using computer certificate authentication. The clients are connecting to corporate resources over the WAN usin DirectAccess. Forced tunneling is a requirement. The DirectAccess is only configured for IPHTTPS using
  a single NIC behind a firewall.
  But there is a TMG web proxy in the corporate network that authenticates users. When these users connect over the Internet using devices that have DirectAccess enabled, they are not able to visit any sites as TMG blocks the connection. In the TMG logs, I
  see that the reason it is dropping these web connections are because the traffic is coming from an 'anonymous' user as per the logs.
  The proxy requires user authentication.
  Can someone please advise?
  Thanks in advance,
  SinghP80

  Yes I was able to resolve this by using the command below on the DA server:
  Set-DAClientDNSConfiguration -DNSSuffix '.' -ProxyServer ProxyFQDN:PortNumber
  Hope this helps you as well. Please let me know. if it does.
  Regards,
  SinghP80

• BB Link and McAfee Web Proxy

  I'm having an issue getting any BB10 device to connect to BB Link.
  I've managed to figure out the issue is related to McAfee Web Proxy that we use, since if I uninstall the software or allow it to be disabled for a period of time, I can connect the device without any issues.
  While I know the BB Link software has no options for proxy settings, I'm hoping someone would be able to help me figure out what sites the software tries connecting to, so I can bypass them and resolve my issue.
  Already tried talking to McAfee, but they won't help me as apparently they don't support smartphones/tablets, even though their software isn't running on any of those, but the Win7 computer with BB Link.
  Thanks!

  Hi ApolloX2,
  First of all, a few thoughts about the problem you're facing here
  1. Actually deciding if the server is not available is not an easy task: a server can be slow to process a request and send the answer but still be available. On the other hand, the server can answer, but return an error (anything from "410 Gone" to "500 Internal Server Error" to redirects). Did you consider all these cases?
  2. Detecting when/if all the resources on a page have been loaded is another hard to solve problem: there's no event on the HTMLLoader to signal when *all* content was successfully loaded, and the matter is even more complicated when you consider dynamically generated/loaded content via JavaScript/AJAX.
  Of course, things can be simplyfied if you don't want to load "free-form" (arbitrary) web content but rather your application will load only content with a previously known structure/in a previously known setting. Either way, you'll still have to manually identify the resources you want to save and save them.
  If you have some prior info about what you're going to display (and save), you could parse the HTML loaded inside the HTMLLoader. The HTMLLoader object exposes the DOM nodes as dynamic properties. You can take a look at how that's done inside the AIRIntrospector framework that's shipped with the AIR SDK. You can find the source in SDK_PATH/frameworks/libs/air/AIRIntrospector.js .
  Hope this helps,
  Mihai

• Web Proxy Authentication using Kerberos or NTLM - ForeFront TMG

  Hi All
  I was hoping someone would be able to guide me on addressing an issue I have with authenticating MACs against the web proxy. I have scoured the internet and looked on the forums but I can't seem to find a solution to the problem I am experiencing.
  Our network consists and an AD domain, and a single TMG server 2010. The TMG server is enabled for integrated authentication for the Web Proxy. All the MACs have been added to the AD Domain, so all users logon as themselves. Authentication to various shares
  are granted using Kerberos - so part of the Kerberos infrastructure works.
  My Problem:
  Currently, my MAC clients are prompted for a username and password when accessing the internet within Firefox and Camino. If I use Safari I have my credentials twice as the keychains saves my credentials seperately, for HTTP and HTTPS traffic.
  Ideal Solution
  Since a kerberos ticket is issued to the user who has logged in by the domain controller, I would like to use kerberos to authenicate the user for web access.
  What I've done so far
  There is a feature within Firefox and Camino web browsers to enable trusted websites to use your kerberos ticket. If you open Mozilla, navigate to about:config and look for 'network.negotiate-auth.trusted-uris' and add various internal sites (not proxy).
  The authentication works perfectly using Kerberos as you can see the tickets that have been handed out using 'klist' and I'm not prompted for my username or password. If I disable it, it stops working and I am prompted for my username and password. I have
  tried typing in the proxy address, also tried putting in the proxy port too but to no success within the trusted-uris text field.  Maybe there is a different way of putting in the address?
  I have enabled Kerberos on the computer account in AD for the firewall (Trust this computer for delegation to any service (kerberos only)), but without any success. I must admit, I haven't rebooted the TMG server though.
  I hope someone can help me out, and really appreciate your time and support.
  Thanks
  Jamie

  Hi All
  I have resolved my issue. I added the SPN of HTTP/SERVERNAME & HTTP/IPADDRESSOFSERVER to the firewall computer account and replicated my changes and now I have authenication working on my MACS without any username and password prompts, apart
  from the user logging into the domain. Beautiful.
  https://community.mcafee.com/docs/DOC-2682 - This detailed article from McAfee helped me signfictantly.
  Cheers Anyway,
  Jamie