TCP Tunnel HTTP connections in Explicit deployments

book

Article ID: 169852

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

In an explicit deployment, there is no way to completely bypass the proxy without creating exceptions in the browser or managing exceptions through a PAC file as explained in article TECH241975.

For HTTPS traffic, Protocol Detection can be disabled instead. This will tunnel the HTTPS request instead of using the SSL engine to inspect it. More information on this can be found in article TECH245661.

As for HTTP traffic, there is a way tunnel those requests without them being recognized by the common proxy engines (HTTP or SSL). This can be useful if creating rules in the firewall to allow traffic from specific IP is undesired, which is a common occurrence in Explicit environments. This means that the source IP of the outgoing packet will still be the Proxy's IP, as it is still being intercepted by it instead of bypassing it through the browser settings or a PAC file.

Resolution

1. Configure a new TCP Tunnel Proxy Service:

First we need to create a new service that will be listening for connections which destination is the site we want to tunnel through. Each site will be associated to a specific non-standard port in the ProxySG

  • In the Management Console, go to Configuration > Proxy > Proxy Services > New
  • Create a new Service as follows (you can choose any name and port as long as it's not in use):

2. Create a forwarding host for the site:

In order for the proxy to send the request to the destination server, it must be forwarded. Otherwise, the proxy will think that the destination is the proxy itself. For this we will create a forwarding host for www.example.com, which resolves to 93.184.216.34.

  • Go to Configuration > Forwarding > Forwarding Hosts > New
  • Create the new Forwarding host as follows (Alias name can be different):

3. Configure Forwarding policy to send requests to the Forwarding Host:

The Forwarding Host can only be used if we create policy and assign it to a rule. We can perform this by going to the Visual Policy Manager and creating this rule:

  • In Destination we should select Server Port 9999, which should be the same port as the one we specified in the Service.
  • In the Action column, we selected the Forwarding Host we created previously.

4. Create PAC file and point requests made to the chosen port:

After all of this is done, we can create our own PAC file. In this example, we will create a PAC file that sends requests made to www.example.com to my proxy (IP 1.2.3.4) on port 9999 to be TCP Tunneled, while the rest of the requests will be sent to the default Explicit Service on port 8080, which will be using the HTTP engine.


function FindProxyForURL(url, host)
{
    if ( shExpMatch(host, "www.example.com") ) 
return "PROXY 1.2.3.4:9999";
}
return "PROXY 1.2.3.4:8080";
}
 
After the PAC file is created and configured in the client's browser, the requests should be forwarded directly to the destination after being intercepted by the TCP Tunnel service we created.
 

Attachments