How to bypass a Proxy in an Explicit environment

book

Article ID: 166321

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You would like to bypass the ProxySG in an Explicit deployment due to troubleshooting, testing or outage.
In a Transparent environment, to bypass a specific IP (source or destination) we can add those IPs to the Static bypass list (See: TECH248740). Unfortunately, in an Explicit deployment, we cannot use this list.
 
Due to the Explicit architecture, the bypass decision must be made before the proxy, and not on the proxy itself. This is because the Explicit clients request goes to the IP of the proxy as their destination IP, while the real destination is hidden within the packet itself, meaning the proxy must intercept the packet to be able to determine where it should go, whereas in a Transparent deployment, the destination IP the client requests is that of the OCS, thus the proxy doesn't need to intercept and inspect the contents of that packet, it can just ignore the specified traffic, sending it directly to the upstream.

Resolution

Some of the options available to perform the bypass before the proxy are the following:

  • You can edit the PAC file (if used).
  • Remove the proxy from the browser for testing purposes.
  • Edit the browser settings to bypass the Proxy for specific destinations. (Example: For IE, Edge and Chrome on Windows systems: Internet options > Connections > LAN Settings > under "Proxy Server", click on "Advanced", under "Exceptions", enter the IPs or hosts to be bypassed in the text box at the bottom, separated by ";").

Note:

After applying one of the options above, the traffic will go directly from the workstation to the Firewall or upstream device in the local environment. Make sure to have said device configured to accept this traffic, as in most of the Explicit environments the upstream is set up in a way that rejects all sources but the Proxy's IP.

Have in mind that the traffic may take a different physical route in your environment, thus if a problem in the upstream is suspected, this may skip the problematic device entirely, making it look like the proxy is at fault when it's in fact something else on the network. Verify the network path being followed with a tracert / traceroute from the client to make sure that all the same devices (but the proxy) are matched.