BCS written exam preparation and BCS Preliminary exam preparation
BCS Tb Proxy Chaining.pdf.b
-
Upload
komal-khan -
Category
Documents
-
view
27 -
download
2
Transcript of BCS Tb Proxy Chaining.pdf.b
SGOS 3, 4 Series
Proxy ChainingWhat is Proxy Chaining?The Blue Coat ProxySG provides the basis for a robust and flexible proxy solution. In addition to web policy management, content filtering, ad blocking and web content virus scanning for network protection, companies can implement a proxy hierarchy, enabling networks to scale their remote locations infrastructure. The feature known as Advance Forwarding enables the Blue Coat ProxySG to implement a proxy hierarchy. Coupled with powerful caching, the Blue Coat secure proxy appliance provides organizations with a best-of-breed solution to leverage their network.
Why implement Advanced Forwarding with Blue Coat?Advanced Forwarding with the Blue Coat ProxySG provides flexibility for network administrators when defining scalable proxy hierarchy designs. The following key features can be implemented:
• ForwardingtoanupstreamProxySGbasedondomain,URL,orIPaddress
• LoadbalancingofmultipleupstreamProxySGappliances
• L3,L4andL7healthchecksoftheupstreamProxySGappliances
How to Implement Advanced Forwarding?The following network designs can be implemented:
1 Forwarding to single upstream ProxySG
2 Forwarding to a group of upstream ProxySG appliances with load balancing
3 Defining a Health Check on the upstream ProxySG
There are three steps to implement Advanced Forwarding for each of these designs:
1 Configure Advanced Forwarding hosts
2 Verify your configuration
3 Test the configuration
Technical Brief: Proxy Chaining
Forwarding to a single upstream ProxySGThe following diagram represents the network layout of this solution
Internet
Central ProxySG
Web Server
Local ProxySG
Forwarding toProxySG
InternalNetwork
Step 1 – Configuring Advanced Forwarding Host
Connecttothecommandlineinterface(CLI)oftheProxySGusingaTelnetorSShterminalandtype:
enable<enter your enable password> (by default admin)conf tforwardingcreate <proxyalias> <ip address of the upstream proxysg>http=<proxy port> proxy
ThiswillforwardalltherequestsfromtheLocalProxySGtotheCentralProxySG.
Step 2 – Verify your configuration
ViatheCLI,type:
show forwarding
The following should be displayed on your screen:
195.149.44.49 - Blue Coat SG110#(config forwarding)show fordownload-via-forwarding: enabledConnection attempts to forwarding hosts fail: closed.
Technical Brief: Proxy Chaining
Forwarding Groups: (* = host unresolved)No forwarding groups defined.Individual Hosts: (* = host unresolved)parent-proxy 195.149.44.102 http=80 defaultLoad balancing hash: domainLoad balancing method: noHost affinity method (non-SSL): noHost affinity method (SSL): noHost affinity timeout: 30 minutes
In this example the local ProxySG is 195.149.44.49 and the upstream ProxySG is 195.149.44.102 with the name upstreamproxy.
Step 3 – Test your configuration
Tovalidatethatproxychainingisworking,enableURLloggingbygoingtotheBlueCoatmanagementinterface and typing:
BlueCoatManagementGUI|AccessLoggingCategory|DefaultFacility|checkSquidfacility
Now, look at the Appliance’s current logs by typing the following:
BlueCoatStatisticsGUI|AccessLoggingcategory|LogFacilitytab|SelectMain
Observe the last couple entries so you can recognize the fields
DEFAULT_PARENT/UpstreamSecurityGatewayIPAddress
Technical Brief: Proxy Chaining
Forwarding to a group of upstream ProxySGThe following diagram presents the network layout of this solution
InternetWeb Server
Local ProxySG
Forwarding toProxySG
Central ProxySG
InternalNetwork
Step 1 – Configuring Advanced Forwarding Host
ConnecttotheCLIoftheProxySGusingaTelnetorSShterminalandtypein:
enable<enter your enable password> (by default admin)conf tforwarding
Technical Brief: Proxy Chaining
create <parent1> <ip address of the upstream proxysg1>http=<proxy port> group=group1 proxycreate <parent2> <ip address of the upstream proxysg2>http=<proxy port> group=group1 proxy
Note : by default the load balancing mechanism is a hash based on the domain. This can be modified via the followingCLIcommand:
Load-balance hash wurl|domain>
Or
load-balance <least-connections|round-robin>
Step 2 – Define the forwarding Policy
LaunchTheVPMandcreateaforwardinglayer
Select the Action, right click, select SET, then NEW, and finally Select Forwarding
Technical Brief: Proxy Chaining
Thenclick,UseForwarding,andselecttheconfiguredgroupname–inourexamplegroup1
Click OK twice and then Install
Step 3 – Test your configuration
TovalidatethatProxyChainingisworking,enableURLlogging
BlueCoatManagementGUI|AccessLoggingCategory|DefaultFacility|checkSquidfacility
Technical Brief: Proxy Chaining
LookattheSecurityAppliance’scurrentlogs
BlueCoatStatisticsGUI|AccessLoggingcategory|LogFacilitytab|SelectMain
Observe the last couple entries so you can recognize the fields
DEFAULT_PARENT/UpstreamSecurityGatewayIPAddress
Defining Health Check on the upstream ProxySGThe following diagram presents the network layout of this solution
Internet
Central ProxySG
Web Server
Local ProxySG
Forwarding tosingle ProxySG
Health Check performedby local ProxySG
InternalNetwork
Technical Brief: Proxy Chaining
Step 1 – Configuring Health Check for an existing
ConnecttotheCLIoftheProxySGusingaTelnetorSShterminalandtypein:
enable<enter your enable password> (by default admin)conf thealth-checkforwarding type http http://www.yahoo.com
ThiswillforwardalltherequestsfromtheLocalProxySGtotheupstreamProxySG.MoreoverthelocalProxySGwill request http://www.yahoo.com and expects to get a response back to consider its upstream ProxySG available.IftheupstreamProxySGrespondswitha503Unavailablecode,itwillbeconsideredasdown,becausethis means that the upstream ProxySG cannot retrieve http://www.yahoo.com.
Step 2 – Verify your configuration
ViatheCLI,type:
show health-check
The following will be displayed:
195.149.44.49 - Blue Coat SG110#(config health-check)show healthchecksForwarding Global Health Check Settings:Enabled - yesType - httpObject - http://www.yahoo.comInterval (in seconds) - 60Failcount - 5SOCKS Gateways Global Health Check Settings:Enabled - yesType - Layer-4Interval (in seconds) - 60Failcount - 5Forwarding Health Check StatisticsIP Address Port Successes Failures Current State195.149.44.2 8080 10 0 Up195.149.44.3 8080 10 0 Up
In this example the local ProxySG is 195.149.44.2 and the upstream ProxySG is 195.149.44.3.
The upstream ProxySG is available.
ConclusionThe ProxySG can be configured to use advanced forwarding which allows a security administrator to create a hierarchy of appliances to provide services at all levels of a company’s infrastructure.
Copyright © 2009 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Blue Coat, ProxySG, PacketShaper, ProxyClient and BlueSourceareregisteredtrademarksofBlueCoatSystems,Inc.intheU.S.andworldwide.Allothertrademarksmentionedinthisdocumentarethepropertyoftheirrespectiveowners.v.TB-PROXY_CHAINING-v3-0609
Blue Coat Systems, Inc.www.bluecoat.com
Corporate HeadquartersSunnyvale,CAUSA//+1.408.220.2200
EMEA HeadquartersHampshire,UK//+44.1252.554600
APAC HeadquartersHongKong//+852.3476.1000
Technical Brief: Proxy Chaining