RE: Content engine and web clients separated by firewall

From: Scott Morris (swm@emanon.com)
Date: Mon Dec 13 2004 - 10:27:40 GMT-3

• Next message: Mike Flanagan: "Lab start time"
• Previous message: Joseph D. Phillips: "Re: INEv2 lab 3"
• Next in thread: Park, Peter: "RE: Content engine and web clients separated by firewall"
• Maybe reply: Park, Peter: "RE: Content engine and web clients separated by firewall"
• Maybe reply: Scott Morris: "RE: Content engine and web clients separated by firewall"
• Maybe reply: Park, Peter: "RE: Content engine and web clients separated by firewall"
• Maybe reply: Scott Morris: "RE: Content engine and web clients separated by firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Due to this proxy effect, and essentially spoofing on behalf of the CE,
firewalls get really pissed about this activity... I tried playing around
with it for a while, and it was not functional in any sort of normal
implementation.

The best bet is to have the proxy/CE outside the firewall by the exiting
router is it is a transparent CE. If it's non-transparent, where your users
all point to the proxy server then it shouldn't matter where you have it as
the rules essentially change.

HTH,

 
Scott Morris, MCSE, CCDP, CCIE4 (R&S/ISP-Dial/Security/Service Provider)
#4713, JNCIP, CCNA-WAN Switching, CCSP, Cable Communications Specialist, IP
Telephony Support Specialist, IP Telephony Design Specialist, CISSP
CCSI #21903
swm@emanon.com
 
 
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Cheung Thomas
Sent: Monday, December 13, 2004 2:12 AM
To: ccielab@groupstudy.com
Subject: OT: Content engine and web clients separated by firewall possible?

Hi Group,

Sorry for the OT but I need help. A client wants to install a Cisco 500
series content engine as transparnet proxy. However, the web clients and
the engine are separated by a firewall. I checked the manuals and samples
and find that they put the clients and the engine on the same side. Also,
the wccp router should be on the same side with the engine. So I don't know
whether the mentioned scenario is possible.
My concern is that: when the web clients browse a page, they make a request
to the real ip of the web server. However, the content engine will actually
make the request on behave of the clients. Then, it will return to the page
to the clients. Thus, on the firewall will see the returned page has a
source address of the engine, not the real ip of the web server. And I
suspect the returned traffic will be blocked. Is this the case?
Could someone have similar experience help me? Thank you.

Regards,

Thomas

• Next message: Mike Flanagan: "Lab start time"
• Previous message: Joseph D. Phillips: "Re: INEv2 lab 3"
• Next in thread: Park, Peter: "RE: Content engine and web clients separated by firewall"
• Maybe reply: Park, Peter: "RE: Content engine and web clients separated by firewall"
• Maybe reply: Scott Morris: "RE: Content engine and web clients separated by firewall"
• Maybe reply: Park, Peter: "RE: Content engine and web clients separated by firewall"
• Maybe reply: Scott Morris: "RE: Content engine and web clients separated by firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:26 GMT-3