Symantec Web Gateway (SWG) - Best Practices: Proxy Mode

book

Article ID: 156685

calendar_today

Updated On:

Products

Web Gateway

Issue/Introduction

Symantec Web Gateway (SWG) has been deployed to run in Proxy or Proxy+Inline mode. The SWG proxy acts as a traditional FTP, HTTP/S and SOCKS proxy. This article covers the best practices when running in proxy mode.

Cause


 

Resolution

Networking settings

For proxy mode, separate management and inline networks are mandatory. Both interfaces must have internet access and be able to reach the relevant servers (Symantec ThreatCenter, configured DNS servers, LDAP server). Ping and Traceroute tools are available on the Network settings page to verify proper functionality.

SWG must be able to determine and identify all the internal hosts and generate reports accordingly. All internal networks must be declared under the Internal Network Configuration section (Administration > Configuration > Network).

Internal subnets that can only be reached via static routes must be added to the Static Route Configuration section and the option Apply Static Routes to Internal Hosts must be enabled.


Ports and performance

Two different proxies can be enabled in SWG when implementing proxy mode. The HTTP/S proxy and optionally, the SSL Deep Inspection proxy port.

By default, when enabling the HTTP/S proxy, port 8080 will be enabled.

When inspection of encrypted SSL content is required, the Enable SSL Deep Inspection option must be used. All the encrypted SSL traffic subject to content filtering must be directed to the SSL Port (default 8443) via browser configuration (see below)

 

Unsupported configurations and Limitations

SWG was not designed to act as a reverse proxy. When SWG is used in proxy mode, no other proxies should be involved downstream or upstream. Proxy chaining is not supported with SWG.

 

High Availability

Multiple SWG hosts can be deployed on the network to take advantage of multiple proxy instances. The failover logic can be configured via different browser configuration options (PAC files, WPAD, Active Directory)

 

DLP integration

SWG can easily integrate with Symantec DLP solutions to inspect traffic for data loss prevention when the traffic is handled by the proxy. To do this, use the option Enable DLP and enter the IP address and port of the DLP server. Multiple DLP servers can be included.

 

Botnet Detection

SWG will report and act only on traffic that is hitting the proxy port. To have a full view of internally-generated botnet traffic, tap mode is preferred.

 

Browser configuration

SWG is an explicit proxy. Browsers must be configured to use the SWG proxy. Each browser can be configured separately or the settings can be deployed using automation. Automation can be done via Group Policies on Active Directory, or the browsers can autoconfigure themselves via WPAD or PAC files.

If SSL Deep Inspection is going to be used, the proper certificate must be imported into the browsers as a Trusted Root Certificate Authority. This can also be achieved either manually or via automation.

 

Virtual Edition considerations

SWG VE mirrors the cabling logic from the hardware appliance. Please make sure the following steps are done:

1. Open the vSphere client and in the left-hand pane, right-click on the Symantec Web Gateway (SWG) instance and select edit settings
2. Scroll down to select Network adapter 2, then in the right pane uncheck both Connect and Connect at power on
3. Do the same thing for Network adapter 4
4. Save these settings by clicking OK
5. Request users clear their browser cache, and tests to verify performance has been restored.

 

Internal Resources

Symantec Web Gateway (SWG) - Best Practices: New Deployments

Increased Browse Time delays when users are directed through the Virtual Edition of Symantec Web Gateway 5. x in Proxy only mode

External Resources

Web Proxy Autodiscovery Protocol

Proxy Auto-config

How to Force Proxy Settings Via Group Policy

 

 

 

Attachments