What Are The Steps Required To Move From an Explicit to a Transparent Deployment?

book

Article ID: 170590

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The customer has a a Proxy SG that is currently in and explicit deployment and they would like to transition to a transparent deployment.

Resolution

1.  You can leave all explicit configuration and policy in place
 
2.  Under configuration, services, proxy services ensure that at least the external http service is set to intercept. If the service is not present you can create it. 
Set https service to intercept if you plan to create policy for this protocol as well.  You do not need to enable protocol detection on either of these services.
 
3.  If you will be authenticating your user traffic follow the documentation link to set up components to support transparent authentication
https://support.symantec.com/en_US/article.TECH242153.html              
 
4.  Configure rule in web authentication layer with the proper authentication mode.  Review the following documentation for more on authentication modes.
https://support.symantec.com/en_US/article.TECH242539.html              
 
5.  If you are going to be using WCCP add the WCCP configuration to the proxy SG. You can perform this step and leave the WCCP service group disabled until it is needed.
https://support.symantec.com/en_US/article.TECH242539.html              
 
6.  If moving from explicit deployment to a true transparent inline deployment you may need to have a maintenance window as this change may interrupt some user traffic.
Once the device has been moved inline the policies, authentication, and filtering can be tested.
 
If moving from an explicit to WCCP deployment you can configure the access list on the WCCP device to only forward traffic from a limited number of host machines to test before moving the entire organization to the new deployment.
 
7.  Once all user traffic has been moved to the new deployment the explicit services can be set to bypass or they can be left at intercept to be used by SG administrators for testing purposes
All rules in the web authentication layer used for explicit users can be removed.
 
8.  If using the GRE version of WCCP please obtain a copy of the GRE calculator spreadsheet from your SE or TSE.
https://support.symantec.com/en_US/article.TECH241738.html