How can I differentiate user traffics and ProxySG administrative (client-less) traffics in chaining proxies environment?

book

Article ID: 169230

calendar_today

Updated On:

Products

Asset Management Solution Data Center Security Monitoring Edition ProxySG Software - SGOS

Issue/Introduction

In chaining proxy environment, how do I differentiate the user and proxy client-less traffics on the downstream proxy? How can I collect a packet capture on the downstream proxy which has issues to download BCWF / CachePulse database / license update? .

Resolution

The solution is to redirect the administrative / client-less traffics using different forwarding port:

1. Do ensure the connection on the downstream does not goes direct.  From the downstream proxy's GUI, select the Configuration > Forwarding > Global Defaults tab ensure "use forwarding for administrative downloads" option is enabled.

2. Assuming the existing default forwarding policy will forwards intercepted http traffics on tcp port 8888 :

create host "User_Traffics_Upstream_Proxy" 10.10.10.1 http=8888 ssl-verify-server=no proxy

<Forward>
forward("User_Traffics_Upstream_Proxy") forward.fail_open(yes)


3. Add additional host and forwarding rule on the child proxy to forward the client-less traffic on tcp port 8889

create host "Clientless_Upstream_Proxy" 10.10.10.1 http=8889 ssl-verify-server=no proxy

<Forward>
has_client=no forward("Clientless_Upstream_Proxy") forward.fail_open(yes)


4. Intercept tcp port 8889 on the upstream ProxySG. On the upstream proxy GUI > Configuration > Services > Proxy Services > Standard > Explicit HTTP > Edit Service > Add New Listeners on port 8889. The traffics must be permitted by the intermediate firewall as well (if there's any)

5. Do ensure the client-less connection policy is added above the default forwarding policy.  So, the new forwarding host / CPL is

create host "User_Traffics_Upstream_Proxy" 10.10.10.1 http=8888 ssl-verify-server=no proxy
create host "Clientless_Upstream_Proxy" 10.10.10.1 http=8889 ssl-verify-server=no proxy

<Forward>
has_client=no forward("Clientless_Upstream_Proxy") forward.fail_open(yes)
forward("User_Traffics_Upstream_Proxy") forward.fail_open(yes)